In recent years, one thing has become very clear to anyone working in cybersecurity: credential theft has turned into one of the main engines of the online criminal economy. Not because it is particularly sophisticated, but because it works incredibly well. For many attackers, buying an already valid access is far easier than compromising a network from scratch.
At the center of this business are infostealers. These are simple malware families designed to collect anything with operational value: browser passwords, session cookies, authentication tokens, VPN credentials, crypto wallets, and autofill data. They do not need to be elegant. They need to be efficient.
Over the last months we have seen a new wave of infostealers spreading in the wild. Names like Arkanix, CharlieKirk GRABBER, ComSuon, DarkCloud, MawaStealer and MioLab (also known as NovaStealer) appear frequently in analyses. None of them is particularly groundbreaking from a technical point of view. Their true value lies in the massive volume of stolen data they generate, which feeds an ever more structured underground market.
When artificial intelligence enters malware development
Among the new families, Arkanix is the one that sparked the most discussion. Not because of its features, but because of how it seems to have been developed: partly assisted by language models. In simpler terms, parts of its code may have been generated or accelerated using LLM-based tools.
This is where things get interesting. What once required weeks of coding can now be done in a fraction of the time. That lowers the barrier to entry dramatically for emerging criminal actors. Anyone with moderate skills can produce custom malware much faster than in the past.
Arkanix appeared in underground forums in October 2025 as a malware-as-a-service offering. The infrastructure disappeared a few months later, likely due to operational issues or law enforcement pressure. The duration of the project is irrelevant. The message it leaves behind is what matters: creating an infostealer has never been easier.
The real business is not the malware. It is the logs
The stolen datasets generated by infostealers are the real product of this ecosystem. A single infected device can contain hundreds of credentials: corporate emails, SaaS platforms, admin panels, VPN accounts, even valid browser sessions.
These logs are not dumped chaotically online. They are processed, filtered, labeled and sold. Different actors in this chain specialize in identifying the most valuable elements, such as corporate domains and privileged cloud accesses. Once refined, the logs are packaged and sold to brokers who resell them to intrusion operators.
It is a supply chain with well defined roles, not very different from a traditional economic system, except that the product being traded is our access data.
The cybercrime division of labor
Underground forums have evolved into full fledged digital marketplaces with reputation systems, escrow services, dedicated vendors and even customer support.
The workflow is surprisingly efficient. One actor manages large scale infection campaigns. Another extracts and catalogs the stolen credentials. Another sells curated accesses to brokers. Finally, specialized groups use those accesses to perform more complex intrusions, often ending in ransomware deployments.
Each actor focuses on what they do best, reducing time, operational risk and cost. That specialization is what makes the infostealer ecosystem so resilient.
Why infostealers remain so dominant
The explanation is straightforward: they work. They are cheap to distribute, easy to customize and extremely profitable. A single infected machine can unlock dozens of valuable accounts. All it takes is one high privilege corporate credential to make a cheap log incredibly valuable.
This creates a self reinforcing cycle. Infect, collect, package, sell, exploit. Every step fuels the next.
What this means for companies
Many organizations still underestimate the strategic impact of infostealers. The main problem is not the malware itself, but the persistence of stolen credentials. Data exfiltrated today may be resold and weaponized months later.
The most effective defenses are not limited to antivirus tools. They involve processes: monitoring for leaked credentials, rotating passwords regularly, enforcing strong MFA, tracking active sessions and watching for anomalous behaviors. All of this has a single purpose: reduce the economic value of stolen credentials.
Because if those credentials lose value, the entire criminal supply chain starts to weaken.
Analysis by Vasily Kononov – Threat Intelligence Lead, CYBEROO
