The Infostealer Pipeline: How Russian Market Fuels Credential-Based Attacks

ReliaQuest analyzed Russian Market—the prominent underground marketplace for stolen credentials—and found massive scale credential theft (millions of logs and hundreds of thousands of alerts), dominance of commercial infostealers (notably Lumma and emerging Acreed), common infection and persistence TTPs (writable directories, script/ archive obfuscation, hidden payloads, living-off-the-land, registry/scheduled-task persistence), and marketplace issues like recycled or fake logs; the report includes a January 2025 Lumma incident where rapid detection and containment prevented exfiltration and recommends defensive controls and automated playbooks to block infostealer activity early.