The Open-Source Infostealer Explosion: When Free Malware Comes at Everyone's Cost

There's a shift happening in the underground economy around credential theft, and it should concern every organisation, regardless of size or sector. The traditional model of renting sophisticated malware from professional criminal teams is being supplemented, and in some cases replaced by something far more accessible: freely available, open-source infostealers that anyone with basic technical ability can deploy in an afternoon.

This isn't a theoretical risk. It's happening now, at scale, and the data backs it up.

The Old Model: Malware-as-a-Service

To understand why open-source infostealers represent a step change in the threat landscape, it helps to understand the model they're disrupting.

For years, the infostealer market operated much like any subscription SaaS business except the product was credential theft. Professional criminal teams built and maintained sophisticated stealers, then rented access to affiliates through tiered subscription models advertised on dark web forums and Telegram channels.

The names will be familiar to anyone working in threat intelligence: Lumma Stealer, RedLine, Raccoon, StealC. These weren't crude tools. They were polished, actively maintained products with customer support, changelogs, and pricing tiers designed to maximise criminal return on investment.

Lumma, for example, operated subscriptions ranging from $250/month for basic access up to $20,000 for a full reseller licence. This came with a builder interface, obfuscation options, and a web panel for managing stolen logs. It was a business. A very successful one.

The barrier to entry was financial. If you couldn't afford the subscription, you couldn't play.

The Shift: When Malware Goes Open Source

That barrier is disappearing.

The emergence of open-source infostealers on platforms like GitHub has fundamentally changed the calculus. Tools that previously required criminal connections and subscription fees are now available to anyone with a browser and basic coding knowledge.

ThunderKitty is the most prominent recent example and a fully functional infostealer published openly on GitHub, complete with documentation. It targets browser credentials, session cookies, cryptocurrency wallets, and system information. The source code is available, forkable, and has already spawned a family of variants as threat actors customise it for their own campaigns.

ThunderKitty isn't alone. The open-source infostealer ecosystem now includes:

• Stealerium - a C# infostealer with Discord webhook exfiltration, targeting browsers, wallets, and VPN credentials
• Phemedrone Stealer - gained notoriety in early 2024 by exploiting a Windows Defender SmartScreen bypass (CVE-2023-36025), distributed via malicious URLs
• VoidStealer - lightweight, modular, and widely forked across threat actor communities
• Phantom Stealer - marketed with a dark web aesthetic despite being freely available, targeting gaming platform credentials alongside traditional browser data

Each of these projects has a lineage. One repository gets published, forks proliferate, variants emerge with new evasion techniques or targeting capabilities. The criminal economy of infostealers is beginning to resemble the open-source software development model it parasitises.

How They're Advertised and Distributed

The marketing of these tools (even the free ones) follows established patterns.

On forums like Lolz.live and various Telegram channels, threat actors advertise their variants with the same conventions as legitimate SaaS: feature lists, screenshots of the admin panel, testimonials from satisfied buyers, and free trials. Even where the base code is freely available, actors monetise through paid "crypting" services (obfuscation to evade AV detection), infrastructure provision, or premium support.

Distribution methods have evolved to abuse legitimate platforms:

• GitHub itself is used to host payloads, with malicious repositories disguised as cracked software, game cheats, or developer tools
• YouTube tutorials for pirated software link to malware in the video description
• Discord servers distribute stealers as "free tools" to gaming communities
• Telegram bots automate the delivery of build configurations and log collection

In May 2025, a campaign was identified that used malvertising across GitHub to distribute infostealer payloads to over one million devices in a single operation. The scale is no longer niche.

The Takedown Problem

Law enforcement has not been passive. In May 2025, a coordinated operation involving the US Department of Justice and Microsoft took down Lumma Stealer's infrastructure, seizing domains and disrupting the service for hundreds of thousands of subscribers.

Within weeks, new variants had emerged. Existing affiliates migrated to alternative platforms. The credentials already stolen remained in criminal hands and continued to circulate on breach marketplaces.

This is the fundamental challenge with infostealers: the damage is done at the point of infection. Takedowns disrupt distribution, but the 53 million credentials and data from 13 million infected devices estimated to have been compromised in 2024 alone don't disappear because the infrastructure does.

What This Means for Your Organisation

The democratisation of infostealer tooling has several direct implications:

Volume will increase. When the barrier to entry drops, the number of actors drops with it. Organisations that previously fell below the threshold of interest for sophisticated criminal groups are now viable targets for low-sophistication actors using readily available tools.

Detection becomes harder. Open-source code means no consistent fingerprint. Each deployment can be trivially modified to evade signature-based detection. Behavioural detection is increasingly the only reliable approach.

Credentials are the primary target. The end goal of virtually every infostealer campaign is credential harvesting, browser-saved passwords, session cookies, VPN credentials, and cryptocurrency wallet keys. Once stolen, these credentials are sold on breach marketplaces or used directly for account takeover.

Your supply chain is exposed. Even if your own security posture is strong, a compromised credential from a supplier, contractor, or partner with access to your systems represents a real attack path. The breach data from your employees appearing on stealer logs is a leading indicator of risk and quite often before any attack has occurred.

The Cybridge Perspective

At Cybridge, our Managed Breach Intelligence service monitors stealer log marketplaces and breach data sources continuously, identifying when credentials associated with your domain, employees, or supply chain appear in compromised datasets.

The value is in early warning. A credential appearing in stealer logs today may not be weaponised for weeks or months. That window is your opportunity to act and force a password reset, invalidate sessions, review access all before an attacker does.

If you're not monitoring for this, you're working blind. The tools to compromise your organisation are free. The intelligence to detect it before it matters doesn't have to be expensive either.

John Bridge is Director of Cybridge Ltd, a Jersey-based cybersecurity and intelligence consultancy specialising in breach intelligence, OSINT investigations, and penetration testing.

To find out more about CyBridge's Managed Breach Intelligence service, visit cybridge.je

Tags: Threat Intelligence, Infostealers, Breach Intelligence, Cybersecurity, OSINT, Malware, Credential Theft