A new infostealer builder claims to exfiltrate 99% of targeted secrets in less than 12 seconds post-exploitation, according to a report by Hudson Rock.Advertisements for the malware-as-a-service (MaaS) known as logins[.]zip were first observed by Hudson Rock researchers this month and market the stealer as a competitor to other popular stealers like Lumma, RedLine and Vidar.The threat actors behind logins[.]zip claim these stealers only recover about 43% of passwords and cookies while relying solely on the Windows Data Protection API (DPAPI) to decrypt stolen data.Logins[.]zip purports to use two Chromium zero-day exploits to aid in the theft of cookies and credentials without the need for admin privileges. The browser-based builder enables the generation of custom malware stubs with a small size of about 150KB and “polymorphic auto-obfuscation” to evade detection and analysis, according to the advertisements.Hudson Rock researchers downloaded sample logs provided by the malware sellers and reported that the logs had a “unique structure” unseen in previous infostealer attacks.The researchers also reported finding credentials in the logs not seen in previous infostealer leaks and that data that did match previous infections contained more credentials than seen in prior attacks (ex. 147 credentials vs. 99 from computers infected around the same time).The research team logged in to the logins[.]zip platform and viewed patch notes from mid-October signifying active development of the infostealer builder. The builder is currently being sold at two clearweb domains for a promotional price of $150 per month, with the sale set to end on Nov. 10, according to Hudson Rock.Logins[.]zip targets a wide range of credentials by combining both Windows DPAPI and browser exploits, potentially putting login details, cookies and payment card details at risk. Additional modules enable the theft of Discord tokens and Roblox cookies, with crypto wallet theft capabilities said to be in development.The malware supports exfiltration of stolen data to Discord or Telegram, further lowering the bar for attackers without their own dedicated infrastructure.While claims made by cybercriminals cannot be taken at face value, the threat of infostealers remains a major cybersecurity concern. Infostealer activity tripled in 2024, according to a report by Picus Security, which found in a separate report that data exfiltration attempts had a 97% success rate in 2025. The impact of infostealers was also seen in the addition of 183 million unique stolen email and password pairs added to the Have I Been Pwned (HIBP) database last week.Threat actors in the MaaS ecosystem continue to evolve their illicit offerings as seen by the recent rewrite of Vidar Stealer and updates to Rhadamanthys stealer earlier this month. To help defend against infostealers, Hudson Rock recommends hardening of browser defenses through enforcement of multifactor authentication (MFA), quarterly credential rotations and monitoring of Chromium processes for anomalous activity.Organizations are also encouraged to use endpoint detection and response (EDR) solutions with behavioral analytics, especially those tuned for syscalls and user-level injections such as those used by logins[.]zip. Free tools such as HIBP and Hudson Rock’s free infostealer checkers can be used to check whether company credentials may have been exposed by an infostealer infection.
Malware, Identity, Data Security, Threat Intelligence, Privacy
New infostealer claims to extract 99% of credentials in 12 seconds
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds