From Cookies to Keys: The Threat of Session Hijacking

This report examines the growing threat of infostealer malware and session hijacking between 2020–2025: attackers harvest browser session tokens, cookies, developer tokens and vault exports, sell them on underground markets, and use automated session replay tools to bypass logins and MFA, enabling rapid lateral movement, data theft, and escalation to ransomware or extortion; the document also maps the infostealer add-on economy, describes common attacker tools and workflows, and provides mitigation guidance such as short-lived tokens, secure cookie flags, anomalous-behavior monitoring, MFA, canary credentials, and user education.