CheckPoint’s 2025 Cyber Security Report reveals that infostealers have become one of the most dominant cyber threats. Once a niche tool, these programs now play a critical role in the cybercrime ecosystem. The report highlights a 58% rise in infostealer attacks during 2024, demonstrating their expanding reach and impact on organizations worldwide.
Our own research at Twilight Cyber’s aligns with this, showing that infostealer infections more than doubled from 2023 to 2024 – a staggering 115% increase. This surge reflects a changing cybercrime landscape, with new malware families overtaking older ones and attacks shifting to different regions.
Infostealer groups in 2024
Twilight Cyber’s latest 2024 data on machine infections shows that the most dominant infostealers have changed dramatically in just one year.
RedLine and META, once the leading infostealers (responsible for 57% and 27% of infections in 2023 respectively), lost their dominance the arrest of their operators, dropping to just 13% and 6% of infections in 2024.
In their place, LummaC2 surged from under 1% in 2023 to 31% in 2024, becoming the most prevalent stealer. Other new players, RisePro (19.9%) and Stealc (17.4%), have also steadily gained ground.

The Infostealer Ecosystem

Attackers no longer rely on traditional threats like RedLine – instead, newer malware families are dominating the infostealer world.
Infostealer logs – batches of stolen credentials and authentication tokens – have become valuable commodities on underground marketplaces like the Russian Market. These logs are sold for as little as $10 each, giving attackers easy access to stolen credentials, active session tokens, and financial data. With this information, cybercriminals bypass multi-factor authentication (MFA) and take over accounts directly.
In 2024, newer infostealers like LummaC2 and Stealc gained significant traction, overtaking RedLine, which saw its infection rate collapse following the arrest of its operators. According to Check Point’s Report, these malware families are now more expensive, with pricing reflecting their increasing sophistication and demand:
- RedLine: ~$150 per month
- Stealc: ~$200 per month
- LummaC2: ~$250 per month
Historically, RedLine’s lower cost and widespread availability made it the most dominant infostealer. However, following the arrest of its operators, attackers were forced to migrate to alternatives, allowing LummaC2 (31.1% of 2024 infections) and Stealc (17.4%) to gain ground – despite their higher price tags.
These newer stealers offer enhanced evasion techniques, feature-rich capabilities, and better developer support, making them attractive despite their increased cost.
Shifting Geographies: How Infostealer Attacks Are Targeting New Regions

Infostealer infections aren’t just increasing – they’re also shifting geographically. Twilight Cyber’s 2024 data reveals a major transformation in the most affected regions, showing that cybercriminals are actively adjusting their focus to new markets.
2023: Brazil, Vietnam, and Egypt Were the Primary Targets
In 2023, the highest infection rates were observed in Brazil, Vietnam, and Egypt. These regions were frequently targeted due to:
- High rates of online banking and e-commerce activity, making stolen credentials valuable.
- A lack of widespread cybersecurity awareness and enforcement, allowing infections to spread.
- A large number of devices running outdated or unpatched software, increasing susceptibility to attacks.
The United States had relatively low infection numbers in 2023, indicating it was not a primary target at the time.
2024: India Overtakes Brazil
Twilight Cyber’s latest data shows a dramatic shift in attack geography in 2024.
- India experienced the most significant increase in infections, going from outside the top 10 in 2023 to the #1 most infected country in 2024.
- Brazil remained heavily targeted, with infections rising by over 40% compared to 2023.
- Indonesia, Pakistan, and the US saw major spikes in infections, signaling that attackers are expanding their focus beyond traditional targets.
- The US infection rate more than doubled, indicating that North American users and businesses are facing a growing risk from infostealer attacks.
Why Are Attackers Targeting These Regions?
The geographic shift in infostealer infections suggests that cybercriminals are strategically adapting their focus based on:
- New Market Opportunities – The rapid growth of digital banking and online transactions in India and Southeast Asia has made these regions attractive targets for cybercriminals seeking financial credentials.
- Varying Security Maturity – Countries with weaker cybersecurity infrastructure or lower enforcement (such as Pakistan and parts of Latin America) present easier entry points for malware campaigns.
- Shifts in Underground Market Demand – Stolen credentials are often sold in bulk on dark web markets. If demand for credentials from a particular country increases, attackers shift their focus accordingly.
- US Businesses Becoming More Vulnerable – The rise in US infections suggests that attackers may be improving their ability to bypass Western security measures, making American users and corporations lucrative targets.
How Infostealers Are Distributed
Check Point’s research identifies several distribution methods for infostealers, including:
- Phishing Campaigns: Emails designed to deceive victims into downloading malware.
- Malvertising: Malicious advertisements redirecting users to infected websites.
- Fake Software: Counterfeit applications, including cryptocurrency services and AI tools, used as bait.
- Exploitation of Platforms: Abuse of platforms like GitHub to host malicious repositories, disguising infostealers as legitimate software.
These methods, detailed in the report, highlight the adaptability of cybercriminals in ensuring infostealers reach their targets.
From Logs to Breaches
Checkpoint’s report explains how data extracted by infostealers often serves as the basis for larger cyberattacks. Logs frequently include credentials for corporate accounts, session tokens, and other data that provide attackers immediate access to sensitive resources. Once inside a network, attackers can escalate their operations, deploying ransomware or extracting more data.
According to Check Point, this shift signifies a move from opportunistic attacks to coordinated campaigns designed to maximize the value of stolen data. Infostealers are no longer just tools for credential theft; they are a key component in multi-stage attacks compromising organizational security.
The Role of Affiliates
In the MaaS model, as described in the report, developers create and update infostealers, while affiliates manage distribution. Affiliates’ efforts have led to innovative infection techniques, such as:
- Fake CAPTCHA Pages: Tricking users into downloading malware disguised as security checks.
- Malicious Google Ads: Redirecting users to counterfeit download sites.
- Phishing Templates: Targeting specific groups with tailored fake websites and messages.
This division of labor has made the infostealer ecosystem highly effective and constantly evolving.
The Impact on Organizations
Check Point’s findings reveal the risks infostealers pose to individuals and businesses. Over 70% of devices infected by infostealers are personal rather than corporate-managed, creating challenges for Bring Your Own Device (BYOD) environments. Personal devices often act as entry points into corporate networks.
The report also emphasizes the time-sensitive nature of session cookies and tokens. Cybercriminals exploit these artifacts quickly, using advanced dashboards and automation to identify high-value credentials in real-time.
How Twilight Cyber Mitigates Infostealer Attacks
Organizations can strengthen their cybersecurity defenses through proactive infostealer threat intelligence. Platforms like Twilight Cyber enable real-time detection of compromised credentials and infected devices, providing timely alerts to help mitigate threats before they escalate. Twilight Cyber’s solution offers:
- Real-time monitoring of the dark web for compromised credentials and infected machines
- Fast detection of device infections, typically within hours
- Instant credential security verification during user logins through Account Takeover Prevention
- Hourly updates on compromised devices and credential information
By adopting this automated and comprehensive approach, organizations can stay ahead of cyber threats, minimizing the risk of successful breaches and safeguarding their digital infrastructure.