Infostealer Malware Trends Report: H2 2024

Executive Summary

This infostealer report covers the second half of 2024, from July 1 through November 30. During that window, Revealer.US ingested 61.4 million unique stealer logs across the families tracked by our collection team. That is a 38 percent increase over H1 2024 and confirms that infostealer trends continue to bend sharply upward. The malware report findings below draw on log metadata, strain attribution signatures, and underground market telemetry.

Three top-line numbers frame the half. First, Lumma Stealer (also marketed as LummaC2) accounted for 34 percent of logs we ingested in H2 2024, overtaking RedLine for the first time. Second, session cookie volume per log grew 61 percent year over year, reflecting attacker prioritization of MFA bypass material. Third, the median price for 1,000 fresh logs on the largest Russian-language cloud-of-logs services fell from 320 US dollars to 245 US dollars, a 23 percent decline that signals oversupply rather than waning demand.

What Defenders Should Know Upfront

• Lumma is now the dominant stealer family by ingest volume
• RedLine remains widely deployed but its market share is eroding
• ClickFix and fake captcha lures have displaced cracked software as the single largest distribution vector
• Crypto wallet theft modules are now standard across all major families
• 2FA backup code harvesting is the fastest-growing capability

Top Stealer Families Ranked by Log Volume

We attribute logs to families based on packer signatures, C2 fingerprinting, and artifact layout. The ranking below reflects unique logs ingested between July and November 2024.

1. Lumma Stealer (LummaC2), 34 percent market share
2. RedLine Stealer, 22 percent market share
3. StealC, 14 percent market share
4. Vidar, 11 percent market share
5. Meta Stealer, 7 percent market share
6. Raccoon v2, 5 percent market share
7. Other and unclassified, 7 percent market share

The rankings compress the story of an ecosystem in transition. Eighteen months ago, RedLine alone accounted for more than half of all stealer logs in circulation. Its decline is attributable to operator fatigue, law enforcement pressure on key distributors, and the emergence of Lumma as a more actively maintained alternative.

Lumma Stealer

Lumma, marketed by its operators as LummaC2, is a Russian-language malware-as-a-service offering with tiered subscriptions ranging from 250 to 1,000 US dollars per month. Its rise in H2 2024 was enabled by aggressive affiliate recruitment, frequent feature releases, and a panel that makes it easy for low-skill operators to parse stolen data. Lumma logs are notably rich in browser credentials, session cookies, and crypto wallet files. MITRE ATT&CK techniques prominent in Lumma activity include T1555 for credentials from password stores, T1539 for steal web session cookie, and T1552 for unsecured credentials.

RedLine

RedLine remains the second most observed family but is on a clear downward trajectory. Its codebase is older, its maintenance cadence has slowed, and several high-profile affiliates have publicly migrated to Lumma or StealC. We expect RedLine to fall below 15 percent share in H1 2025 if current trends continue.

StealC and the Middle Tier

StealC, Vidar, Meta Stealer, and Raccoon v2 together represent 37 percent of ingest. StealC specifically grew from 6 to 14 percent share across the half, making it the second-fastest-growing family after Lumma. Meta Stealer deserves attention for its focus on enterprise-targeted builds and its relatively clean evasion against common endpoint agents.

Distribution Trends

How victims actually get infected has changed dramatically in H2 2024. We classify distribution by initial lure and infrastructure, not by payload, because a single campaign often pushes multiple stealer families over time.

ClickFix and Fake Captcha Pages

The single largest distribution vector in H2 2024 was the ClickFix technique, in which victims land on a fake captcha or error page that instructs them to paste a command into the Windows Run dialog. The pasted command launches PowerShell with an obfuscated payload that stages the stealer. Approximately 27 percent of newly observed logs in November 2024 were attributable to ClickFix-style lures. Affiliates favor this technique because it bypasses browser download warnings entirely and transfers execution to the user.

SEO Poisoning

SEO poisoning campaigns promoted malicious sites that impersonated popular software downloads, productivity tools, and PDF converters. An estimated 21 percent of H2 logs came from this vector. Operators purchase Google Ads and manipulate search results to push infected installers ahead of legitimate downloads.

Cracked Software

Cracked software remained a major vector but slipped from first to third place at roughly 19 percent of logs. The decline reflects the reality that ClickFix is operationally cheaper and reaches a broader victim demographic.

YouTube Comment Spam and Video Descriptions

YouTube-based lures, typically gaming cheats, cryptocurrency tools, and cracked applications posted in video descriptions or pinned comments, accounted for 14 percent of H2 logs. Threat actors continue to churn through disposable uploader accounts, and platform moderation is not keeping pace.

Fake Job Offers and Recruitment Lures

A smaller but rising category is fake recruitment outreach, particularly targeting developers, crypto professionals, and remote workers. These lures accounted for 9 percent of H2 logs but are overrepresented in enterprise-impact incidents because they reach higher-value targets.

Target Data Evolution

The data an infostealer collects is the clearest signal of what its operators plan to monetize. In H2 2024 we observed an unmistakable expansion of target data categories.

From Browser Credentials to Everything Else

A log from 2021 typically contained browser passwords, autofill data, and a short list of cookies. A log from late 2024 contains all of that plus crypto wallet files, browser wallet extension data, Discord and Telegram session files, VPN client configurations, SSH keys, cloud credentials from local AWS and gcloud files, and in many cases the contents of specific directories targeted by operator-configured grabber rules.

Session Cookies as First-Class Loot

Session cookies have moved from a bonus collection to a primary target. Modern stealers decrypt Chrome and Edge cookies using the browser's own decryption APIs, producing session material that enables MFA bypass through cookie replay. The average log in H2 2024 contained 2,847 cookies, up from 1,763 in H2 2023.

2FA Backup Codes and Authenticator Exports

The fastest-growing capability across families is harvesting 2FA backup codes from text files, password manager exports, and cloud notes applications. We now observe grabber rules that scan for filenames like backup_codes.txt, authenticator_backup.json, and 2fa.txt across every major stealer family.

Crypto Wallet Theft

Crypto wallet theft modules are standard. Targets include desktop wallets like Exodus and Electrum, hardware wallet configuration files, seed phrases stored in sticky notes or text files, and browser extensions for MetaMask, Phantom, and similar wallets. Crypto-specific monetization explains why stealer operators tolerate logs from victims with no corporate credentials at all.

Pricing on Underground Markets

Stealer logs are priced and traded in three main formats: fresh logs sold by count, private or exclusive logs sold individually, and cloud-of-logs subscription services that give buyers continuous access to new ingest.

• 1,000 fresh mixed logs: 245 US dollars median, down from 320 in H1 2024
• 1,000 US or Western European targeted logs: 410 US dollars median
• Single private log with corporate access: 50 to 400 US dollars depending on target
• Cloud-of-logs monthly subscription, basic tier: 150 US dollars
• Cloud-of-logs monthly subscription, premium tier with fresh filtering: 900 US dollars

Prices fell across every category in H2 2024 because supply outstripped demand. The practical consequence for defenders is that even small or low-value victims now face monetization because the break-even price for a log has dropped.

Defender Recommendations

The defensive playbook for infostealer trends in H2 2024 prioritizes detection of post-compromise artifacts and rapid credential invalidation.

1. Deploy EDR with behavioral detections for clipboard-to-PowerShell sequences, the signature of ClickFix campaigns
2. Shorten SaaS and IdP session token lifetimes to limit the value of stolen cookies
3. Treat any employee whose personal device is infected as a corporate incident because logs mix personal and work credentials
4. Monitor stealer log ingest for your domains continuously rather than on periodic sweeps
5. Prohibit storage of 2FA backup codes in plaintext files and push users toward hardware-backed recovery

For teams building continuous stealer log monitoring, our API documentation covers query patterns for domain, email, and executive monitoring.

Conclusion

H2 2024 was the half in which Lumma dethroned RedLine, ClickFix overtook cracked software, and session cookies became first-class loot. None of these shifts are reversible in the short term. The stealer ecosystem is more competitive, more distributed, and more effective than it was six months ago, and the pricing data suggests operators are confident they can absorb continued oversupply.

Defenders who treat stealer log exposure as a steady-state operational problem will outperform those who treat it as an occasional incident. The gap between those two postures widened in H2 2024 and will widen further in H1 2025.

Want to track stealer log exposure for your organization in real time? Start a free trial of Revealer.US and see which of your credentials are already circulating in underground markets.