Introduction
In recent years, the cybercrime landscape has witnessed a significant rise in the use of infostealers, particularly targeting credentials stored in password managers [4]. This trend poses a substantial threat to digital security, as evidenced by the increasing prevalence of credential theft techniques in the MITRE ATT&CK Framework.
Description
Infostealers have seen significant growth in the cybercrime landscape [6], with approximately 25% of over a million malware samples identified in 2024 targeting credentials stored in password managers. This marks a three-fold increase from the previous year and highlights a concerning trend, as credential theft from password stores has entered the top 10 techniques in the MITRE ATT&CK Framework for the first time [2] [10], collectively accounting for 93% of all malicious actions in 2024 [8] [9]. The rising demand for compromised logins underscores the focus on accessing sensitive information within both local and cloud-based password managers, browser-stored credentials [3] [6], and cached login data [3] [6].
Threat actors are employing advanced extraction methods [8] [10], including memory scraping, registry harvesting [2] [5] [8] [9] [10], process injection [4] [6], keylogging [6], and screen capturing [6], to obtain credentials and evade detection. The complexity of these attacks has increased [6], with each malware sample now averaging 14 malicious actions aimed at evading defenses [2], escalating permissions [2] [9], and exfiltrating data [1] [2] [6] [7] [9] [10]. Notably, the emergence of a new generation of malware known as “SneakThief” emphasizes stealth, persistence [1] [2] [7] [8] [9] [10], and automation [1] [2] [7] [8] [9] [10], enabling cybercriminals to execute sophisticated operations while maintaining prolonged access to networks. This evolution of info-stealing malware often incorporates methods to compromise both local and cloud-based password stores, as seen in campaigns like the Snowflake campaign [3], which compromised hundreds of millions of victims [3].
Despite the rise in the use of password managers for enhanced security [7], these tools have become high-value targets for hackers [7], who attempt to unlock them [7], scrape data from memory [7], or use previously stolen passwords to gain access [7]. To combat these threats [4], organizations must move beyond traditional patchwork defenses and adopt continuous security validation [4], advanced behavioral monitoring [4], and a threat-informed strategy [4]. Pairing password managers with multi-factor authentication (MFA) is essential [6], although it is not foolproof. Employing strong master passwords and pass-phrases [5], discouraging password reuse—particularly for password managers—and ensuring that the password manager has robust defenses against vault compromise are also crucial. Ongoing vigilance and adherence to best practices for password security among employees are vital [6].
Aligning defenses with the top 10 MITRE ATT&CK techniques is recommended as an effective strategy for enterprise security teams to potentially stop up to 90% of sophisticated malware threats like SneakThief. The report emphasizes the importance of robust defenses against credential theft [4], encrypted data exfiltration [4], and stealthy process injection [4], providing actionable intelligence for organizations looking to enhance their security posture. For further insights [4], the Picus Red Report 2025 is available [4], along with an upcoming live webinar featuring Picus Labs researchers [4].
Conclusion
The rise of infostealers targeting password managers underscores the urgent need for enhanced cybersecurity measures. Organizations must adopt comprehensive strategies, including continuous security validation and advanced monitoring [4], to mitigate these threats [4] [5]. While tools like multi-factor authentication and strong password practices are crucial, they must be part of a broader, threat-informed approach. As cyber threats evolve, staying informed and proactive is essential to safeguarding sensitive information and maintaining robust digital security.
References
[1] https://www.darkreading.com/threat-intelligence/credential-theft-cybercriminals-favorite-target
[2] https://www.tradingview.com/news/reuters.com,2025-02-04:newsml_GNXcc8TBc:0-picus-security-finds-3x-increase-in-malware-targeting-password-stores/
[3] https://www.infosecurity-magazine.com/news/threefold-increase-malware/
[4] https://www.picussecurity.com/resource/blog/red-report-2025-3x-rise-in-credential-theft
[5] https://www.forbes.com/sites/daveywinder/2025/02/04/millions-of-password-manager-users-on-red-alert-act-now-to-stay-safe/
[6] https://undercodenews.com/the-rise-of-infostealers-a-growing-threat-to-cybersecurity/
[7] https://www.msspalert.com/news/picus-bad-actors-using-more-complex-malware-to-steal-credentials
[8] https://www.citybiz.co/article/657218/picus-security-finds-3x-increase-in-malware-targeting-password-stores/
[9] https://vmblog.com/archive/2025/02/04/picus-security-finds-3x-increase-in-malware-targeting-password-stores.aspx
[10] https://www.globenewswire.com/news-release/2025/02/04/3020087/0/en/Picus-Security-Finds-3X-Increase-in-Malware-Targeting-Password-Stores.html
