Articles on: General

A Quick Look at Common Malware Families

Malware (malicious software) covers a wide range of tools used by cybercriminals to steal data, make money and disrupt systems. For Selki, the most relevant families are those that lead directly to credential theft and account takeover, especially infostealers and banking trojans.


This article gives a quick overview of common malware families and then focuses on the infostealers that matter most for credential exposure.



1. Main Malware Families (High-Level Overview)


Below are some of the most important malware categories you will see mentioned in threat reports:


Family

What it does (high level)

Infostealers

Steal credentials, cookies, tokens, autofill data and system info, often silently.

Banking trojans

Target online banking, fintech and payment apps; steal credentials and perform fraud.

Ransomware

Encrypt files or systems and demand payment (ransom) for decryption.

RATs (Remote Access Trojans)

Give attackers remote control of infected machines (keylogging, screen, files).

Loaders / Downloaders

Install or “load” other malware (ransomware, infostealers, trojans).

Spyware

Monitor user activity, keystrokes, messages and communications.

Botnets

Large networks of infected devices used for spam, DDoS, credential stuffing and more.


In today’s threat landscape, infostealers, banking trojans and ransomware dominate most criminal intrusions. These are also the families that most often lead to credential leaks and identity abuse.



2. Why Infostealers Deserve Special Attention


Unlike ransomware, which is noisy and disruptive, infostealers are quiet and fast. They focus on harvesting:


  • Saved browser passwords
  • Session cookies and authentication tokens
  • Autofill data (emails, names, addresses, IDs)
  • Crypto wallet keys and extensions
  • VPN / RDP / email credentials
  • System fingerprints (IP, OS, security tools)


Many infostealers run for just a few seconds, exfiltrate all data, then delete themselves or remain dormant. The stolen data is then packaged into so-called “stealer logs” and sold in bulk in underground markets.


For organizations, this leads directly to:


  • Account Takeover (ATO) of employees, admins and customers
  • Fraud in financial and e-commerce platforms
  • Lateral movement into internal systems
  • Exposure of sensitive portals (VPN, email, HR, ERPs, etc.)



3. Common Infostealer Families


Here are some of the most relevant infostealers active in recent years:


  • Raccoon

Easy-to-use, sold as Malware-as-a-Service (MaaS). Widely used to steal browser credentials and autofill data.


  • RedLine

One of the most popular stealers, often spread via fake software installers and phishing emails. Grabs passwords, cookies and crypto wallets.


  • Vidar

Lightweight infostealer distributed through malvertising and cracked software. Frequently used as part of larger campaigns.


  • Lumma

Known for rapid development and strong focus on Chromium-based browsers and password managers.


  • RisePro / Meta / Stealc (successor families)

Newer stealers that evolved from earlier codebases, adding better evasion and broader data collection, including session hijacking.


  • Aurora

Stealer with loader capabilities, used both to exfiltrate credentials and to deliver additional payloads.


  • Atomic Stealer (AMOS) & MetaStealer (macOS)

Infostealers designed to target macOS, focusing on browser credentials and crypto wallets.


New families appear regularly, but the core behavior remains the same: steal identity-related data, then resell or use it for further attacks.



4. Spotlight: How RedLine Works (Example)


RedLine is a good example of a modern, high-impact infostealer.


What it steals


  • Saved browser credentials
  • Cookies and session tokens (can bypass logins)
  • Credit card data stored in the browser
  • Crypto wallet files and browser extensions
  • System information (IP, OS, installed security tools)


How it spreads


  • Phishing emails with malicious attachments or links
  • Fake installers / cracked software downloads
  • Malicious ads (malvertising) leading to drive-by downloads
  • Links shared through Discord, Telegram and other messaging platforms


Why it is dangerous


  • Fast exfiltration: in many cases, data is stolen within seconds of infection.
  • Credential resale: stolen data is packaged as logs and sold to multiple buyers.
  • Session hijacking: cookies and tokens allow login to systems without knowing the password.
  • Long-tail risk: data might be abused weeks or months after the initial infection.



5. Banking Trojans, Loaders and the Credential Threat


Infostealers do not act alone. Other malware frequently works together with them:


  • Banking trojans can overlay banking apps, capture credentials in real time and even automate fraudulent transactions.
  • Loaders / droppers deliver infostealers or ransomware as a second stage, often after an initial phishing campaign.
  • RATs provide persistent remote access after initial credential theft.


As a result, a single phishing email or malicious download can lead to a chain of events:

user clicks → malware installs → credentials stolen → logs sold → ATO / fraud / internal compromise.



6. How Selki Helps Against Infostealer and Malware-Driven Risk


Selki is focused on what happens after credentials are stolen — the part most organizations struggle to see.


A. Continuous Monitoring of Exposed Credentials


Selki continuously scans:


  • Dark web marketplaces
  • Underground forums and Telegram channels
  • Stealer log dumps and leak sites


to identify credentials, tokens and sessions associated with your:


  • Corporate domains
  • Customer accounts
  • High-value users and admins


When something appears, you get an actionable alert — not months later in a generic breach list.


B. Linking Malware Activity to Business Risk


Because many exposures originate from infostealers, banking trojans or loaders, Selki helps you:


  • See which accounts are affected (employees, VIPs, customers)
  • Understand how severe the exposure is (admin / privileged / sensitive roles)
  • Prioritize which users and systems to protect first


C. Supporting Response & Hardening


Based on the exposures Selki detects, typical actions include:


  • Forcing password resets and invalidating sessions
  • Enforcing or tightening MFA/passkeys for affected users
  • Reviewing VPN, email and admin access used by exposed accounts
  • Updating awareness content (e.g., showing real phishing examples that led to infections)


Selki’s Smart Reporting and Security Awareness features help translate technical findings into clear actions for security, IT and leadership teams.



7. Best Practices to Reduce Malware & Infostealer Risk


Even with Selki, it is important to maintain strong basic hygiene:


  • Keep operating systems and applications patched and up to date.
  • Avoid cracked or pirated software; prefer official sources only.
  • Use reputable EDR/antivirus solutions and keep them updated.
  • Enforce least privilege and strong access control internally.
  • Train users regularly on phishing and social engineering.
  • Enforce MFA or passkeys across critical systems and accounts.
  • Monitor for exposed credentials and act quickly when they appear.



8. Summary


Malware comes in many forms, but a few families dominate today’s threat landscape — especially infostealers, banking trojans and ransomware. For organizations that depend on user logins and online portals, credential theft is often the most immediate and damaging consequence.


Selki was built to address exactly this problem: we continuously monitor for exposed credentials and sessions linked to your organization so you can react early, prevent account takeover and strengthen your overall security posture.


If you would like to run a credential exposure check or learn more, contact us at support@selki.io.


Updated on: 27/11/2025

Was this article helpful?

Share your feedback

Cancel

Thank you!