What Is an Infostealer? Malware That Steals Passwords & Cookies
Even with two-factor turned on, a stolen browser session can open the door. Here's what infostealer malware grabs — and how to make yourself a harder target.
Table of contents
You can have a strong, unique password and two-factor authentication switched on, and still get caught out — because some malware doesn't need your password at all. An infostealer is a type of program designed to quietly copy the secrets already sitting on your computer: saved passwords, browser data, and the session tokens that keep you logged in. Then it sends them to whoever is running it.
Security researchers see this as one of the most important threats for ordinary people and small businesses. Mandiant's M-Trends 2026 report describes stolen credentials and hijacked sessions as a central way attackers get their initial foothold, and ENISA's 2025 Threat Landscape highlights credential and data theft as a defining feature of today's cybercrime. The reason it matters to you: stolen access changes hands fast, so a quiet infection today can become a hijacked account tomorrow.
This is a plain explainer — what an infostealer is, what it takes, and how to defend. No instructions for misusing any of this.
How an infostealer ends up on a computer
In general terms, an infostealer is a file that runs on your device after you're tricked into opening it. Common routes are the same ones behind most malware: a convincing email or message attachment, a fake "update" or pirated app, a malicious ad, or a download dressed up as something legitimate. You don't see anything dramatic happen — that's the point. It does its job in seconds and often deletes itself.
Because the delivery is social — it relies on talking you into running something — your behaviour is a real part of the defence, not just your software.
What it actually steals
The value of an infostealer is in what your browser and apps store for convenience. That convenience is exactly what gets copied.
| What it can take | Why it matters |
|---|---|
| Saved passwords in the browser | Direct logins to email, banking, shopping and work accounts |
| Session cookies / tokens | Can let an attacker reuse a login without the password — and sometimes past two-factor |
| Autofill data | Names, addresses, phone numbers used for fraud or targeted scams |
| Saved card details | Payment fraud |
| Crypto-wallet files | Direct, often irreversible theft of funds |
| Browser history & bookmarks | Maps which banks and services you use, to focus the next attack |
Why cookies are the sensitive part
This is the bit most people miss. When you log in and tick "keep me signed in," the site hands your browser a session cookie — a token that says "this device is already logged in, don't ask again." It's what stops you re-entering your password and two-factor code every single visit.
If an infostealer copies that cookie, an attacker can sometimes load it into their own browser and step straight into your session — skipping the password and the two-factor prompt, because as far as the service is concerned you already passed both. Mandiant's analysts specifically call out the harvesting of session cookies and long-lived login tokens as a way modern attacks slip past two-factor. That's the honest reason a strong password alone isn't enough: it protects the front door, but a stolen session can walk in through a door you already opened.
This is not a reason to turn off two-factor — keep it on, it still blocks the most common attacks. It's a reason to also stop the malware that steals sessions in the first place.
A VPN does not stop an infostealer
Let's be clear, because it's a common misunderstanding: a VPN will not protect you from an infostealer. A VPN encrypts your traffic and hides it from your internet provider or the local network — genuinely useful on public, hotel and café Wi-Fi, when travelling, or for keeping browsing private from your ISP. But an infostealer runs on your device, reading files that are already decrypted in front of you. The VPN tunnel is irrelevant to a program sitting inside the computer. A VPN is a privacy layer for untrusted networks; it is not antivirus, and it does not stop malware, phishing or account takeover.
How to make yourself a harder target
Defence here is about not running the malware, and limiting the damage if something slips through.
- Keep your system and browser updated. Updates close the holes malware relies on. Turn on automatic updates.
- Run reputable security software and let it scan. This is the layer actually aimed at malware on the device.
- Be wary of attachments, "updates" and cracked software. Most infostealers arrive disguised as something you wanted. When in doubt, don't open it; get the app from the official source.
- Use a dedicated password manager instead of saving passwords in the browser. A good manager keeps your vault encrypted and locked, rather than in the easy-to-copy spots an infostealer targets first.
- Keep two-factor on — and prefer passkeys or an authenticator app over SMS where you can. It still stops the bulk of attacks.
- Sign out of sensitive accounts when you're done, and use the "log out of all sessions" option after any malware scare. That invalidates stolen cookies.
- If you think you were hit: from a different, clean device, change your important passwords, sign out everywhere, and review banking and email account activity.
Bottom line
- An infostealer quietly copies saved passwords, browser data and session cookies, then hands them off fast — which is why stolen access fuels so much of today's cybercrime.
- Because a stolen session cookie can sometimes bypass even two-factor, a strong password alone isn't the whole story: keep two-factor on, but also stop the malware.
- A VPN does not help here — the threat is software running on your device. Updates, reputable security software, a password manager and caution with downloads are what move the needle.
Which do you need first: VPN, antivirus or a password manager?
