Executive Summary
In 2025, the cybersecurity landscape witnessed an unprecedented surge in credential theft, with Recorded Future detecting 1.95 billion malware combo list credential exposures, 36 million database combo list credential exposures, 24 million database dump credential exposures, and 892 million malware log credential exposures. This escalation was primarily driven by the proliferation of infostealer malware, which harvested credentials from both personal and corporate devices, leading to significant breaches across various sectors. Notably, the Lumma Stealer emerged as the most prevalent infostealer, compromising over 394,000 Windows computers between March and May 2025. The widespread availability of stolen credentials on dark web marketplaces facilitated unauthorized access to corporate networks, resulting in data breaches, financial losses, and reputational damage for affected organizations.
The current relevance of this incident is underscored by the continuous evolution of infostealer malware and the increasing sophistication of cybercriminal tactics. The commodification of credential theft has lowered the barrier to entry for attackers, enabling even less experienced individuals to execute complex attacks. This trend highlights the urgent need for organizations to adopt comprehensive identity protection strategies, including continuous monitoring, multi-factor authentication, and employee education, to mitigate the risks associated with credential-based attacks.
Why This Matters Now
The surge in credential theft, driven by advanced infostealer malware, poses an immediate and escalating threat to organizations worldwide. The commodification of stolen credentials has made it easier for cybercriminals to gain unauthorized access to sensitive systems, leading to data breaches and financial losses. Organizations must urgently implement robust identity protection measures to safeguard against these evolving threats.
Attack Path Analysis
An adversary initiated the attack by deploying infostealer malware through phishing emails, leading to the theft of user credentials and session cookies. Utilizing these stolen credentials, the attacker escalated privileges to access critical systems. They then moved laterally within the network to identify and access sensitive data. Establishing command and control channels, the adversary maintained persistent access to the compromised environment. Subsequently, they exfiltrated the stolen data over these channels. Finally, the attacker leveraged the exfiltrated data for financial gain, including selling credentials on dark web forums.
Kill Chain Progression
Initial Compromise
Description
The adversary deployed infostealer malware via phishing emails, leading to the theft of user credentials and session cookies.
MITRE ATT&CK® Techniques
Keylogging
Steal Web Session Cookie
Credentials from Password Stores
Spearphishing Attachment
Spearphishing Link
Valid Accounts
OS Credential Dumping
Obfuscated Files or Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Multi-Factor Authentication (MFA)
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Management and Access Control
Control ID: Identity Pillar
NIS2 Directive – Incident Handling
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Infostealer malware targeting authentication systems and cloud platforms poses critical risks to financial institutions given extensive regulatory compliance requirements and credential-based access controls.
Information Technology/IT
IT sector faces heightened exposure as infostealers specifically target VPNs, remote monitoring tools, and security platforms, potentially compromising managed service providers and software companies.
Health Care / Life Sciences
Healthcare organizations are vulnerable to credential theft affecting HIPAA-compliant systems, with stolen session cookies bypassing MFA protections for patient data access and medical device management.
Government Administration
Government entities face significant risks from credential compromise affecting authentication portals and detection systems, potentially enabling lateral movement across sensitive government networks and data systems.
Sources
- 2025 Identity Threat Landscape Report: Inside the Infostealer Economy: Credential Threats in 2025https://www.recordedfuture.com/blog/identity-trend-report-march-blogVerified
- Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizationshttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141bVerified
- Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealerhttps://www.microsoft.com/en-us/security/blog/2025/05/21/lumma-stealer-breaking-down-the-delivery-techniques-and-capabilities-of-a-prolific-infostealer/Verified
- Lumma information stealer infrastructure disruptedhttps://www.malwarebytes.com/blog/news/2025/05/lumma-information-stealer-infrastructure-disruptedVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent initial credential theft, it could limit the attacker's ability to exploit these credentials within the cloud environment.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely constrain the attacker's ability to escalate privileges by enforcing strict access controls based on identity and context.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely restrict the attacker's lateral movement by monitoring and controlling internal traffic between workloads.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and disrupt unauthorized command and control channels by providing comprehensive monitoring across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely prevent data exfiltration by controlling and monitoring outbound traffic from the cloud environment.
With Aviatrix CNSF controls in place, the scope of data exfiltrated could likely be minimized, reducing the potential financial impact and reputational damage.
Impact at a Glance
Affected Business Functions
- Authentication Systems
- Remote Access Tools
- Cloud Platforms
- Security Monitoring Tools
Estimated downtime: 7 days
Estimated loss: $500,000
Compromised credentials including authentication systems, VPNs, RMM tools, cloud platforms, and security software; potential exposure of sensitive corporate data and personal identifiable information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Enforce Multi-Factor Authentication (MFA) to mitigate the risk of credential theft.
- • Deploy Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
- • Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Establish Multicloud Visibility & Control to maintain comprehensive oversight across all cloud environments.
