Co-authored by Constella Intelligence and Kineviz
Infostealer malware dominates today’s cyber threat landscape. Designed to extract credentials, cookies, session tokens, autofill data, and other forms of digital identity, infostealers operate silently, persistently, and at industrial scale. They are no longer just a precursor to other attacks—infostealers are the breach.
There are two critical vectors of risk: employee-driven and user-driven infections. Yet many organizations treat these threats uniformly, without differentiating between them. Crucially, each introduces fundamentally different threat dynamics, requiring distinct detection strategies, containment protocols, and long-term mitigations.
This article, co-authored by Constella Intelligence and Kineviz, combines large-scale infostealer telemetry data with advanced visual analytics to demonstrate how organizations can understand and contextualize these evolving exposures. The foundation of this analysis is the Constella 2025 Identity Breach Report, which tracks over 219,000 breach events, 107 billion exposed records, and 30 million infected devices observed across deep and dark web sources. GraphXR, Kineviz’ graph data analytics and visualization platform, provided the means for the analysis and visualizations.
Employee Infections: A Gateway to Internal Compromise
Infostealers that target employees directly threaten enterprise systems. Why? Attackers exfiltrate credentials from devices used to access email, cloud services, production infrastructure, or collaboration platforms. With these credentials in hand, attackers win immediate access to the operational backbone of an organization. Constella’s data shows that infostealer logs included internal credentials in 78% of recently breached companies within an examined six-month window of compromise.
More than 30% of ransomware attacks in 2024 started with access acquired through infostealer infections. Attackers deployed infostealers like LummaC2, Redline, and Vidar to extract credentials which they either resold or reused. These infections also frequently evade detection on unmanaged or BYOD (bring your own) devices, especially in hybrid work environments.
Moreover, 95.29% of credentials exposed via infostealers in 2024 were found in plaintext, a dramatic increase from the previous year. The implications are clear: attackers don’t break in when they can simply log in.
User Infections: External, Yet Highly Impactful
While user-side infections may not directly affect enterprise systems, their impact is no less severe. What makes this type of exposure so dangerous is its latent pathway into internal systems. If an organization has federated authentication, shared credentials, or weak access controls in place, attackers may escalate privileges or move laterally using external identities. With 60% of 2024 breach datasets composed of recycled credentials, attackers often combine user- and employee-exposed data to uncover new attack paths.
Employees regularly use corporate devices to access personal accounts and vice versa. Constella’s telemetry has repeatedly shown cases where session cookies and credential pairs recovered from “user” infections include logins to administrative dashboards, internal cloud environments, or IT vendor platforms.
Attackers use credentials stolen from customers or partners to take over accounts (ATO), commit fraud, and abuse platforms. This increases the operational burden on support teams, drives up fraud losses, and even introduces brand-level risk when attackers use hijacked user sessions to phish or commit fraud.
The Critical Role of Visual Analytics in Deep Infostealer Intelligence
The dynamic nature of identity exposure—where a single infostealer infection may leak credentials across dozens of unrelated services—requires a different investigative model. Security teams must move away from static analysis of email domains or leaked passwords and begin treating infostealer datasets as high-context, interconnected threat maps.
The scale and relational complexity of Constella Intelligence’s infostealer data lakes demands a way to understand its significance beyond creating lists of actors and leaks. This is where Kineviz adds critical value. Through graph-powered visual analytics, teams can explore infostealer data in real time, connecting credentials, session artifacts, device metadata, and behavioral signals across internal and external entities. This gives analyst teams the insight they need to address the security issues as an interconnected ecosystem and to create plans to mitigate them.
Kineviz’ GraphXR enables security teams to visually distinguish and separate employee infections from user-based exposures, mapping each population independently while also exploring their intersections. This structured separation is fundamental when trying to tailor containment strategies or when reporting risk by department, geography, vendor, or user segment.
Furthermore, the ability to operate at scale across millions of credentials allows analysts to extract collective intelligence from affected populations. Instead of responding to threats one by one, teams can investigate clusters—such as all developers using a compromised plugin, or all employees sharing credentials with leaked user accounts. These insights help uncover shared infrastructure, behavioral patterns, or systemic security weaknesses that wouldn’t emerge from individual case analysis.
Kineviz’s visual engine also allows threat intelligence teams to:
- Group infostealer logs by attack vector or malware family (e.g., Redline vs. Lumma)
- Identify concentrations of exposure by business unit, role, or application
- Tag and monitor known vendors, executives, or contractors as high-risk nodes
- Segment remediation by use case: phishing risk, lateral movement, ATO, privileged access, etc.
The result is a shift from flat reporting to visual, contextual threat modeling, where security teams can rapidly see, segment, and prioritize threats by relevance and business impact. Visualization is no longer a reporting feature—it is an investigative tool and a decision accelerator.
Recommendations
- Adopt a Dual-Lens Threat Model
Separate internal and external exposures in your detection stack—but correlate them where identity overlap is suspected. - Leverage Visual Graph Analysis
Use tools like those developed by Kineviz to visually explore infostealer logs and extract macro-level patterns across users, malware types, and threat actors. - Operationalize Infostealer Intelligence at Scale
Treat infostealer data as the backbone of identity threat modeling. Avoid treating incidents in isolation—group them to detect systemic exposures. - Track Beyond Credentials
Monitor for session tokens, authentication cookies, and configuration artifacts. These are increasingly used to bypass MFA and impersonate users. - Expand Awareness Across the Organization
Train employees, fraud teams, and risk stakeholders to understand how infostealer risk impacts them—even outside the traditional security perimeter.
Final Considerations
Infostealers are not a niche threat. They are the operational mechanism behind today’s largest-scale identity attacks. According to the Constella 2025 Identity Breach Report, nearly every major breach now involves infostealer data, reused credentials, or session artifacts obtained via these infections.
Responding effectively requires more than threat feeds, it requires context, correlation, and visibility. Through the joint power of deep infostealer intelligence from Constella and real-time visual exploration from Kineviz, organizations gain the clarity needed to defend at the speed and complexity of modern threats.
