User Actions Drive Majority of Infostealer Infections, Kaspersky Finds

A new study by Kaspersky Digital Footprint Intelligence (DFI) has revealed that user behaviour remains one of the biggest contributors to infostealer infections, with more than one-third of attacks beginning when users run files directly from temporary browser download folders.

The findings come from an analysis of five million infostealer log files discovered on the dark web in 2025. These logs contained information stolen from infected devices, including login credentials, browser cookies and system data, while also revealing where malicious files were originally executed on compromised computers.

Temporary Download Folders Linked to Most Infections

Researchers found that approximately 35% of observed infections originated from the Windows temporary directory, a location commonly used to store downloaded files before users save them elsewhere. The data suggests that many victims launch downloaded files immediately after obtaining them from the internet, creating an opportunity for cybercriminals to infect devices without relying on advanced attack methods.

A further 32% of infections were traced to the Microsoft .NET Framework directory, a location often associated with more sophisticated malware techniques such as process injection and "living-off-the-land" attacks. These methods exploit legitimate system processes to avoid detection and are commonly used by advanced infostealer families, including Lumma.

Pirated Software and Fake Installers Remain Common Traps

The research highlights several risky behaviours that frequently lead to infections, particularly downloading software from unofficial sources and attempting to activate software illegally. Many victims were found to have followed instructions provided by cybercriminals, including disabling antivirus software before running files disguised as software installers, activators, game modifications or utility programs.

While game-related downloads continue to be a popular lure, attackers increasingly use similar tactics to distribute malicious versions of a wide range of software products. Sergey Shcherbel, an expert at Kaspersky Digital Footprint Intelligence, said infostealer infections surged by 59% during 2025 compared to the previous year. According to Shcherbel, attackers often do not need highly sophisticated techniques because convincing a user to run a malicious file is enough to compromise a device.

Different Malware Families Show Distinct Patterns

The study also identified unique naming habits among major infostealer families. Lumma frequently uses generic installer names and .NET obfuscation techniques. Vidar often appears as Bootstrapper.exe variants, while Stealc combines meaningful filenames with randomly generated names. RisePro follows recurring naming patterns such as MPGPH.exe and MSIUpdater.exe.

To reduce the risk of infection, Kaspersky advises users to download software only from trusted sources, keep security software enabled, use strong passwords and enable multi-factor authentication whenever possible. The company also recommends using password managers for sensitive information, avoiding pirated software and keeping operating systems and applications updated to protect against emerging cyber threats.