New research maps the full infostealer lifecycle. Your credentials go from an employee’s device to an underground marketplace in less time than it takes your security team to notice anything is wrong.
On March 24, 2026, researchers at Whiteintel’s Intelligence Division published a detailed map of the full infostealer lifecycle, tracing the exact sequence from initial malware infection to the moment stolen corporate credentials appear for sale on dark web marketplaces. Their conclusion is stark: that window is 48 hours or less. In many cases, significantly less.
For most enterprise security teams, 48 hours is nowhere near enough time. The average organization takes days or weeks to detect a breach, and traditional detection frameworks are built around network intrusions, endpoint alerts, and malware signatures. Infostealers operate entirely outside all three.
The result is a structural blind spot that the underground economy has industrialized. One bad download, one malicious ad click, one compromised contractor device, and a full package of credentials, session tokens, VPN access, and cloud account keys is harvested, packaged, priced, and sold before your SOC has any indication something went wrong.
The Five Stages Security Teams Cannot See
The Whiteintel research charts the infostealer lifecycle in five distinct phases, each tightly compressed and designed to evade conventional detection.
- Hours 0 to 2: Infection. The attack begins outside your security perimeter. An employee downloads what looks like legitimate software, a cracked productivity tool, a free plugin, a gaming cheat, a YouTube tutorial directing them to an executable. A contractor clicks through a malvertising campaign on a legitimate website. A software update from a trusted third-party vendor carries an embedded payload. Common infostealer families at this stage include Lumma, RedLine, Vidar, Raccoon Stealer, and StealC, many of which are sold as Malware-as-a-Service for as little as $100 to $200 per month. Once executed, the malware runs silently and quickly.
- Hours 2 to 12: Harvest. The infostealer immediately begins targeting browser credential databases stored in SQLite files, active session cookies, saved passwords, VPN configurations, SSH keys, cloud service tokens, and cryptocurrency wallet data. The harvest takes minutes. Modern infostealers are engineered to self-delete after completing the job, removing nearly all forensic trace before antivirus or EDR tools detect anomalous behavior. What is particularly dangerous is the session cookie. When a user logs into any service and selects ‘remember me,’ the browser stores a session token. Infostealers steal those tokens. An attacker who holds a valid session token can access the account without ever entering a password or MFA code.
- Hours 12 to 24: Packaging. The stolen data is compressed into what the underground economy calls a log: a structured package containing credentials, session tokens, URLs, hardware identifiers, and system metadata. Constella’s 2026 Identity Breach Report processed 51.7 million of these packages in 2025 alone, a 72% year-over-year increase. Of those, 98.6% contained active passwords and 99.54% included the specific URLs where those credentials were used, providing attackers a direct, automated roadmap to each account.
- Hours 24 to 48: Marketplace listing. The packaged log is uploaded to dark web marketplaces including Russian Market and 2easy, which specialize in credential sales and emphasize freshness. Logs from infections within the past 24 to 48 hours command premium prices precisely because session tokens have not yet expired. Individual logs sell for $5 to $50 depending on the access they contain. Enterprise credentials with VPN or SSO access can sell for hundreds of dollars. Initial access brokers purchase them and resell curated packages to ransomware operators for tens of thousands.
- After 48 hours: Exploitation. Attackers use automated credential stuffing tools to test logins across services. Valid session tokens are imported directly into attacker browsers, granting immediate authenticated access to corporate email, cloud infrastructure, SaaS platforms, and internal systems. In many documented cases, ransomware deployment follows within 48 hours of the credential appearing on the marketplace, meaning the entire chain from infection to encrypted network can complete in under four days.
The Scale Is Not Theoretical
The infostealer threat is not a niche concern or an edge case. It is the primary engine of modern enterprise compromise.
Constella processed 51.7 million infostealer packages in 2025, identifying 24.8 million unique infected devices. Those packages contained 2.3 billion stolen passwords and 2.3 billion harvested URLs. Flare Research, publishing in February 2026, found that more than one in ten infostealer infections in 2025 already contained enterprise Single Sign-On or Identity Provider credentials, with that rate climbing toward one in five as organizations consolidate authentication around centralized platforms like Microsoft Entra ID, Okta, and AWS IAM Identity Center.
The convergence pattern is documented and consistent. Verizon’s 2025 Data Breach Investigations Report found that 54% of ransomware victims had their domain credentials appear in stealer log marketplaces before the ransomware attack. The credential exposure was not the attack. It was the warning sign that organizations had no visibility into.
CYFIRMA researchers, tracking the infostealer-to-ransomware pipeline in early 2026, found that ransomware execution commonly occurs within 48 hours of credentials appearing on underground markets. The infection, the harvest, the sale, and the deployment of ransomware can all complete before a security team finishes its weekly threat review.
Why Traditional Security Controls Miss This Entirely
Every phase of the infostealer lifecycle is specifically engineered to avoid the controls that enterprise security programs rely on.
- EDR and antivirus tools look for malware signatures and behavioral anomalies on managed corporate devices. Infostealers frequently infect personal laptops, home computers, and contractor devices that have no EDR coverage and no corporate visibility.
- Network monitoring looks for unusual traffic patterns from inside the corporate perimeter. Infostealers exfiltrate data from outside the perimeter before any corporate system is touched.
- MFA protects the authentication event. It does not protect an active session cookie that was already stolen. An attacker using a valid stolen session token inherits the authenticated state entirely, appearing to systems as the legitimate user on a recognized device.
- Breach notification and incident response frameworks are built around post-compromise discovery. The infostealer timeline compresses from compromise to active exploitation faster than most incident response playbooks can mobilize.
The Whiteintel research puts it plainly: by the time a security operations center gets any alert, the stolen data is already packaged, priced, and sitting on a dark web marketplace waiting for a buyer.
The 48-Hour Window Is the Intelligence Opportunity
There is a window between when credentials appear on the marketplace and when they are purchased and exploited. Research from multiple sources confirms that window is typically 24 to 72 hours before active exploitation begins. That is the window Constella is built to operate in.
Constella’s Infostealer Sentinel continuously monitors dark web marketplaces, underground forums, Telegram channels, and initial access broker networks for exposure of corporate credentials, employee identities, and session data. When an employee’s credentials appear in a stealer log package, Constella identifies the exposure and delivers an alert with full context: the source, the specific credentials compromised, the URLs targeted, and the associated risk score.
That alert allows security teams to act during the window that matters:
- Force immediate credential rotation and session invalidation for the affected account before an attacker can purchase and use the log
- Investigate the compromised device to identify the infection vector and prevent lateral spread
- Identify other accounts that may have been harvested in the same log package
- Notify downstream teams of the exposure before a ransomware operator acts on the purchased access
Most dark web monitoring tools scan known public forums for keyword mentions. Constella’s data lake holds 54.6 billion records built over 15 years, with agentic AI continuously hunting new adversary channels, transient dump sites, and private marketplace infrastructure that surface-level tools never reach. In 2025, our automated agents hunted 159% more breaches than the prior year, providing earlier visibility into the exact credential exposures that precede enterprise compromise.
What Security Teams Should Do Now
The infostealer threat requires a different posture than traditional breach response. The compromise has already happened by the time you find out about it. The question is whether you find out during the window when action still matters.
- Treat infostealer exposure as a ransomware precursor, not a credential hygiene problem. 54% of ransomware victims had domain credentials in stealer logs before the attack. Identifying that exposure is an early warning, not a cleanup task.
- Extend monitoring beyond the corporate perimeter. Infostealers infect personal and contractor devices. Your monitoring program needs visibility into exposure that originates outside your managed environment.
- Implement continuous dark web credential monitoring. Static breach feed tools that scan known repositories miss the dynamic, transient marketplace where infostealer logs are actively sold. Real-time monitoring is the only way to close the 48-hour gap.
- Replace session-based MFA with phishing-resistant authentication where possible. Hardware-bound FIDO2 keys and passkeys bind credentials cryptographically to the login origin. A stolen session cookie cannot be used to replay the authentication event, breaking the infostealer’s primary bypass mechanism.
- Establish immediate response protocols for credential exposure alerts. The window between marketplace listing and active exploitation is measured in hours. Response procedures need to match that timeline, not a standard five-day incident triage cycle.
The Bigger Picture
The industrialization of credential theft is not slowing down. Infostealer Malware-as-a-Service is cheap, scalable, and increasingly multi-function, with newer families adding persistence, lateral movement, and ransomware deployment capabilities alongside credential harvesting. Flare Research projects that one in five infections could expose enterprise credentials by Q3 2026 as attackers target organizations that have consolidated authentication around centralized identity platforms.
The 48-hour window is not a vulnerability waiting to be patched. It is a structural feature of how the underground economy operates. The only defense is intelligence that operates on the same timeline. Constella gives security teams visibility into the window between exposure and exploitation. That is where the attack can still be stopped.
See how Constella Infostealer Sentinel and Corporate Identity Threat Protection deliver real-time visibility into credential exposure before attackers act on it.