The ultimate guide to Infostealers for users: Detection, Recovery, and Prevention

04/04/2026 · ~16 min read
infostealerguidepreventionrecoverydetectionremediation
Sponsored By Hudson Rock

Hudson Rock offers a free cybercrime (including infostealers) intelligence. Thanks to their support I can spend more time creating valuable content.

This guide is going to be updated regularly. If you want to contribute, do not hesitate to reach out to me on any of my socials listed down in About me with your ideas. :)

What are infostealers?

Infostealer is a type of malware that focuses on quietly stealing your personal data - such as session tokens, passwords from your device. They are able to recover and decrypt this kind of sensitive data and send them to the attackers C2 (command and control) server.

The attackers may use your credentials to perform scams, try to purchase something with your online shopping accounts or with your credit card or impersonate you to spread more malware.

Some popular delivery methods include:

Some examples of modern infostealer families are:

This guide will cover what can infostealers obtain from your device, how to properly clean an infostealer infection, how to properly secure your accounts and what to do after that.

What can infostealers steal?

NOTE: It does not guarantee that your specific infostealer variant targets all of these listed. These are collected based on multiple families and reports and serve more as a list of capabilities on what infostealers can do.

The following services/programs are targeted:

  • Web browsers data (Opera, Yandex, Chrome, Firefox, Microsoft Edge, Brave, Zen, LibreWolf, Waterfox, Vivaldi, Pale Moon, Chromium, Comet Browser, other Firefox forks and many more other browsers)
    • Your browsing history
    • Your cookies (session tokens -> this allows attackers to bypass MFA/2FA authentication)
    • Your saved and autofilled passwords, usernames, emails
    • Your saved and autofilled credit card information
    • Your saved addresses, full names
    • Your bookmarks
    • Browser sync data, saved 2FA backup codes, and extension-stored secrets (for ex. crypto wallet seeds in MetaMask).
  • Authentication tokens from local games, game managers, other software
    • Discord, Discord Canary, Discord PTB, Steam, Epic Games, Roblox, Riot Games, Growtopia, Telegram, WhatsApp, Uplay etc.
    • For Minecraft, it can steal from various mod loaders as well - Intent, Lunar Client, TLauncher, Feather, Meteor, Impact, Novoline, CheatBreakers, Microsoft Store version, Rise, Paladium, Badlion, PolyMC etc.
  • Searches for files
    • For example passwords.txt, wallets.txt, backup codes.txt, trezor.txt, mask.txt and more files that may include sensitive words such as seed, passwords, codes, finance, tax etc.
    • For example PDF, DOCX files across popular user folders such as Desktop, Documents
    • Also able to search for cryptowallet specific file formats/extensions
  • They usually obtain a screenshot of your desktop
  • They obtain the device information, for example:
    • IP address and local address
    • List of installed software
    • Username, computer name
    • List of running processes
    • Information about hardware components - GPU, CPU, RAM etc.
    • System locale
  • Local cryptowallets - Exodus, Atomic, Guarda, Coinomi etc.
  • Local password managers - BitWarden, LastPass, KeePass, 1Password etc.
  • Local email clients - Thunderbird, Outlook, Mailbird etc.
  • VPN, FTP clients - OpenVPN .ovpn files, FileZilla, WinSCP etc.
  • Clipboard data
  • WiFi connections data - Their SSID (name), their passwords
  • SSH keys and credentials
  • Console history
  • Remote desktop software configurations - .RDP files, TeamViewer, AnyDesk configurations etc.
  • Note-taking applications - Evernote, Microsoft Sticky Notes etc.
  • Business software tokens - Zoom, Slack, Microsoft Teams etc.
  • Local API tokens
  • Cloud credentials - AWS CLI, Azure CLI, Azure identity tokens

How to spot an infostealer infection?

When it comes to infostealers, most of the time you'll notice it first when you suffer the consequences, such as:

  • You are logged out of multiple accounts at once
  • Your password does not work on multiple accounts -> you lose access to your accounts
  • Your socials (Discord, Instagram) are posting scam messages, scam posts/stories
  • Someone else is playing on your gaming accounts (Riot Games, Steam)

Something can also raise suspicion during/after the execution:

  • Antivirus software detections
  • The application you downloaded does not work as intended
  • The application deleted itself (popular tactic for infostealers to self-destruct)
  • You see several PowerShell/CMD windows pop up right after execution

Modern malware does not tell you that you are infected or that it stole your data.

How to properly secure my accounts after an infostealer attack?

Important pointers:

  • To invalidate session tokens/cookies -> Select an option to sign out all devices, if this is not found, changing the password will do that automatically for you (via session tokens/cookies they can automatically bypass the login process that would require email verification/MFA)
  • To create a proper new password -> Create a 16+ letter password that is unique, contains lowercase & uppercase letters, contains symbols, ensure they aren't just recycled passwords from yours and that they are completely new. You can get inspired from here -> https://www.cisa.gov/secure-our-world/use-strong-passwords
  • Proper storing of 2FA/MFA tokens -> A great option on where to store your tokens is an application like Google Authenticator, Ente Auth or Proton Authenticator. If you are not familiar with MFA, you can read about it here -> https://www.ibm.com/think/topics/multi-factor-authentication
  • Consider using a password manager -> A password manager is an awesome thing. It remembers your passwords for you, creates a safe, long passwords and also can store 2FA tokens. I personally use ProtonPass but there are many options mentioned below in malware prevention section.
  • Multitasking -> We often recommend to change the passwords as soon as possible. For example, while clearing the malware you may use a different device or your phone to change passwords and enable two-factor authentication on your most important accounts.
  1. You need to make sure the device you will be doing these steps from is clean from malware. If you do not make sure it is clean from malware, you are taking the risk of your accounts being hijacked again after you secure and change passwords on them.
  2. Change passwords, revoke all active sessions/sign out all logged in devices and enable two-factor authentication for the important services/accounts first:
    • Email account providers -> Google, Outlook, Yahoo etc. (the point is that if someone can access your primary email that is on all the social accounts then securing it is your absolute priority as if someone takes over your primary email it will be very hard to regain access to accounts under it)
    • Credit cards -> Freeze payments on your credit card and then invalidate the credit card, let the bank know your accounts were compromised
    • Shopping, e-commerce that has your payment details -> Amazon, eBay
    • Banking accounts, accounts related to payment services -> PayPal, Apple Pay, Google Pay, CashApp etc.
    • Work/enterprise accounts, website credentials -> SSO, VPN, cloud consoles like AWS/Azure
  3. Change passwords, revoke all active sessions/sign out all logged in devices, enable two-factor authentication for rest of the services/accounts mentioned above in infostealer capabilities
  4. Double check your:
  5. Unfortunately, if you are at this stage where the attacker took over some of your accounts, there isn't much you can do other than submitting a recovery ticket. For the accounts that you weren't fast enough and they were stolen, follow the recovery procedure to recover them, here are some examples of recover procedures:
  6. Unauthorized charges:
    • Dispute them with the service first (e.g. unauthorized charges on Roblox -> first contact their support and tell them they were unauthorized and that you were compromised)
    • If you do not succeed in disputing the charge with the service first, you may chargeback
    • Extended guide to secure Steam:
      • Go to https://store.steampowered.com/twofactor/manage and deauthorize all devices.
      • Revoke your Steam API key at https://steamcommunity.com/dev/apikey
      • Change your Steam password.
      • Check your trade history and market history to see exactly what was bought and from whom. Note the receiving account if visible.
      • Contact Steam Support at https://help.steampowered.com and file a report about the unauthorized market purchase. Steam sometimes reverses these and bans the receiving account.

What do the attackers do with the info that they stole?

Your info may be eventually available in so called Stealer Logs (Stealer Logs: Guide for Security Teams) for other hackers and threat actors to abuse. These stealer logs may be paid or they may be available free on various hacking/cybercrime related forums.

You can check whether were are a victim of being published in Stealer Logs on Have I Been Pwned - Check if your email has been compromised in a data breach.

There is plenty of stuff they can do:

  • Steam account -> attempt to scam your friends by impersonating Valve employees, trying to purchase and gift items from your account
  • Discord account -> abuse it to send automated scam messages (nowadays popular is the Mr. Beast message), ask your friends to try your "new game" you just made to get them to download malware (The Fake Game Playtest Scam Explained), send phishing links that attempt to get people to enter their credentials (popular for Steam)
  • Streaming accounts -> abuse for their own needs, resell them to other people for lower price
  • Shopping, e-commerce accounts -> abuse for their own needs - buying a bunch of stuff - popular are gift cards, resell them to other people for lower price
  • Cryptowallets, banking accounts -> send funds to their own controlled accounts, sell on the black market for low price
  • Gaming accounts -> abuse for their own needs, sell on the black market for low price
  • VPN, FTP accounts -> enumerating other environments, infecting websites if you have FTP access to it
  • Social accounts -> abuse it to post automated scam stories/posts, social engineer your friends, sell on the black market for low price

What to do after I secured my accounts?

Prevent malware attacks in general

Note: an extended malware prevention guide was created shortly after this guide; it contains everything related to preventing specifically malware, see The ultimate guide to preventing malware for users

Please note that these steps won't include a recommendation of a specific antivirus software. Using the built-in Windows Defender or any other antivirus software in fact is perfectly fine and following these steps listed will ensure a very high percentage that you won't be a victim of malware.

The biggest difference you can make when it comes to malware is being educated and following the rules below. The difference between each antivirus software does not matter as much as your knowledge.

Thanks for reading my guide! 🫡

  • Update (10/04/2026): added KeePassXC, Proton Authenticator, Ente Auth, NextDNS, more security browser extensions, various cloud services and links to them

  • Update (18/04/2026): added CRXviewer, Patch My PC Home, UCheck by Adlice

  • Update (17/05/2026): added extended guide to secure Steam, added link to new malware prevention guide

  • Update (19/05/2026): added list of new applications that infostealers can steal from - various Minecraft launchers and web browsers

Want to learn more?

View my about me View all reports