Cybersecurity Report Highlights How Simple User Actions Fuel Rising Infostealer Threats

New research from Kaspersky Digital Footprint Intelligence (DFI) reveals that user behaviour plays a critical role in the spread of infostealer malware, with more than one-third of infections beginning when users run files directly from temporary browser folders. The findings suggest that, in many cases, attackers rely less on advanced technical exploits and more on users unknowingly executing malicious files.

The analysis is based on 5 million infostealer log files discovered on the dark web in 2025. These logs contain sensitive information stolen from compromised devices, including login credentials, browser cookies, and system metadata. Researchers were also able to trace the original file locations of malware on infected systems, providing insight into how infections begin.

The most common source of infection was the Windows temporary directory (C:\Users\AppData\Local\Temp), accounting for around 35% of observed cases. This folder is frequently used to store downloaded files before users manually save them. According to Kaspersky, many infections occur when users immediately open downloaded files without verifying their source or safety.

A further 32% of cases were linked to the directory C:\Windows\Microsoft.NET\Framework, which is associated with more advanced infection techniques such as process injection and “living-off-the-land” methods. These approaches allow malware to blend into legitimate system activity and evade detection. They are commonly seen in sophisticated infostealer families such as Lumma.

The research highlights that many infections are triggered by risky user actions, including downloading software from untrusted sources and attempting to activate pirated or illegal software. In some cases, victims even follow attacker instructions to disable security protections before executing malicious files. These files are often disguised as legitimate installers, game modifications, or software tools.

Sergey Shcherbel, an expert at Kaspersky Digital Footprint Intelligence, noted that infostealer activity increased significantly in 2025, rising by 59% year over year. He emphasized that many infections do not require advanced hacking techniques, but rather depend on convincing users to execute harmful files shortly after downloading them.

The study also identified distinct behavioural patterns among major infostealer families. Lumma commonly uses generic installer names, .NET obfuscation, and process injection techniques. Vidar often appears as “Bootstrapper.exe” variants using traditional loaders. Stealc employs a mixed strategy, combining realistic filenames such as “Licence_Version_Loader.exe” with randomly generated names. RisePro is characterised by recurring filenames like “MPGPH.exe” and “MSIUpdater.exe.”

To reduce risk, Kaspersky recommends that organisations adopt digital risk protection services such as Kaspersky Digital Footprint Intelligence to monitor threats across the surface, deep, and dark web. It also advises security teams to use threat intelligence solutions for better visibility into emerging cyber risks.

For individual users, Kaspersky recommends downloading software only from trusted sources, avoiding pirated tools and unofficial installers, and using strong security software such as Kaspersky Premium. Users are also encouraged to store sensitive data in secure password managers, avoid disabling antivirus protection, keep systems updated, and enable multi-factor authentication wherever possible.