Skip to main content
Cert Posts

Stealer-as-a-Service: malware SaaS for stealing credentials

16 July 20254 min read

In recent years, there has been a structural and barely visible transformation in the cyber threat ecosystem: info-stealers, malware designed to exfiltrate credentials, session cookies, crypto wallets, and other specific artifacts, have moved beyond the stage of being artisanal tools used by individual threat actors. Today, they represent Malware-as-a-Service solutions, equipped with monthly licensing, dedicated support, web-based management interfaces, and well-organized distribution pipelines.

 

New business model

The criminal groups that develop these stealers have adopted a typical “as-a-Service” approach, replicating dynamics from the SaaS world:

  • Access to web-based control panels, with advanced filtering and search capabilities;
  • Ability to generate custom builds of malware (EXE, DLL, etc.);
  • Telegram bots for real-time reception of exfiltrated data;
  • Technical support channels and constant updates.

The end user—often with little technical expertise—can easily manage large-scale malicious campaigns, aiming to steal data from thousands of infected machines.

Prices and features

Stealer Monthly price Key features
LummaC2 $250 Fokus Kryptowährung, Web-Panel, Telegram-API
Stealc $300 Hosting on TOR, sending logs via bot
Vidar $200 Panel with advanced search by domain/service
RisePro $120 Support for additional modules, wallets, loaders
MetaStealer $350 Objective: M365 sessions, browser cookies

Data updated to 2025. The subscription cost often includes updates, antivirus bypasses, and assistance for any operational issues.

 

What is stolen

The exfiltrated information is highly sensitive and may include:

  • Company email credentials, VPN, CRM, collaborative tools (Teams, Slack);
  • Session cookies from Chromium-based browsers (Chrome, Edge, Brave);
  • Active Telegram sessions, often still valid;
  • Crypto wallets (MetaMask, Exodus, Atomic Wallet);
  • Autofill with banking and personal data.

These logs are then organized by country, domain, or service, and resold on Telegram channels or underground marketplaces.

 

Sales channels

The secondary market is booming:

  • Dedicated Telegram channels with automated bots for purchasing logs filtered by country/sector;
  • Forums such as Exploit or XSS with “verified” sellers offering daily dumps;
  • Operators offering “fresh” access to corporate infrastructure via cookies/sessions.

This is no longer a matter of individual dumps on Pastebin: it is a supply chain.

 

Reasons for non-detection

Stealer-as-a-Service easily evades security controls thanks to sophisticated techniques and seemingly legitimate traffic:

  • The executable file is downloaded from the browser, often with legitimate names;
  • Stolen cookies are often unencrypted and allow direct access to corporate portals;
  • Traffic to Telegram or CDN is considered legitimate by many firewalls and proxies;
  • The malware uses packers, crypters, and anti-analysis techniques, making detection difficult even for modern EDRs.

 

What a company must do

To counter these threats, companies must adopt proactive and targeted defense measures:

  • Implement 24/7 active monitoring and response systems (MDR)
  • Implement session controls and alerts for abnormal logins, even without passwords
  • Disable or restrict the use of Telegram Desktop on corporate endpoints
  • Adopt strong MFA authentication (FIDO2) to protect even in the event of cookie theft
  • Monitor Telegram channels and the dark web for activities related to your domain.

 

Final thoughts

The growing industrialization of cybercrime is clear evidence of this. Stealers are no longer simple malicious payloads, but actual SaaS artifacts, distributed through illicit marketplaces with support, updates, and subscription models. Ignoring this evolution means underestimating fileless and low-noise threats, which can evade traditional detection engines by compromising persistence and valid sessions within the corporate perimeter.

The reality? You may already be in a stealer’s exfiltration logs, even if no IOCs have been detected by your current defense systems.

Analysis by Vasily Kononov – Threat Intelligence Lead, CYBEROO