top of page
Search

Infostealers: The Silent Threat Behind New Zealand's Biggest Cyber Risks

  • Writer: Joseph Rapley
    Joseph Rapley
  • 10 hours ago
  • 6 min read

In December 2025, New Zealand's National Cyber Security Centre (NCSC) did something it had never done before. It emailed 26,000 New Zealanders directly to warn them their devices were likely infected with malicious software called Lumma Stealer. The malware had been quietly harvesting passwords, browser data and banking credentials from Windows devices. Some of those stolen credentials were linked to government agency systems and bank accounts.

It was the largest public outreach the NCSC has ever run. Lumma Stealer is just one example of a type of malware that has become one of the most common entry points for cybercrime, in New Zealand and around the world: the infostealer.


Infostealers are coming for your data!
Infostealers are coming for your data!

What Is an Infostealer?

An infostealer is malware that collects sensitive data from an infected device and sends it back to the attacker. No ransom notes. No locked screens. No pop-ups. Most victims have no idea anything has happened until something goes wrong downstream. An account gets locked. Money disappears. A colleague gets a phishing email using credentials that were stolen weeks ago.

The types of data these tools go after include:

  • Saved passwords from browsers like Chrome, Edge and Firefox

  • Session cookies that can be used to bypass multi-factor authentication

  • Autofill data (names, addresses, phone numbers)

  • Cryptocurrency wallet files and seed phrases

  • Two-factor authentication browser extensions

  • Documents pulled from common folders like Desktop and Downloads

After collection, all of this is packaged into what's called a 'log' and either sent to the attacker directly or listed for sale on dark web marketplaces. One log from a single infected device can contain hundreds of credentials spread across dozens of services.


Why Lumma Stealer Matters

Lumma Stealer, also known as LummaC2, has been active since at least August 2022. It has become one of the most widely deployed infostealers in the world, and the reason comes down to its business model.

Lumma is sold as Malware-as-a-Service (MaaS). Anyone can buy access through dark web forums or Telegram channels. Pricing starts at around US$250, with tiers going up to US$20,000 for access to the full source code. Buyers receive a management panel where they can build their own version of the malware, track infections and download stolen data. Technical skill is not a requirement.

The NCSC's Chief Operating Officer Michael Jagusch put it bluntly: 'There has been a real commercialisation of the cyber crime industry, meaning that malware like this can be purchased by anyone, anywhere in the world.'

In May 2025, a joint operation involving Microsoft, Europol, the FBI and other partners seized approximately 2,300 domains tied to Lumma's infrastructure. The developer confirmed the takedown happened, claiming law enforcement did not physically seize the main server. Within weeks, Lumma's operations had resumed. By mid-2025, infection rates had returned to pre-takedown levels.


How Do People Get Infected?

Infostealers like Lumma rarely exploit complex software vulnerabilities. They rely on tricking people.

Phishing emails impersonate trusted brands. Hotel booking confirmations and shipping notifications are common lures.

Fake software downloads bundle the malware with cracked versions of popular applications. VLC, Notepad++ and ChatGPT have all been impersonated.

Malvertising injects fake advertisements into search engine results. Searching for something like 'Notepad++ download' might surface a malicious ad above the legitimate result.

Fake CAPTCHA pages trick users into running a PowerShell command disguised as a verification step. This technique, known as ClickFix, has been used in several recent Lumma campaigns.

Compromised websites present deceptive pop-ups that instruct users to take actions that unknowingly install the malware.

The malware itself runs quietly and avoids triggering alerts. Many infected users will never notice anything on their device. The signs tend to appear in their online accounts instead: unexpected login alerts, locked accounts or unfamiliar transactions.


Why NZ Businesses Should Care

It would be easy to dismiss infostealers as a consumer problem. The NCSC's own data tells a different story.

Their Cyber Threat Report 2025 recorded 137 financially motivated incidents of potential national significance in 2024/25, more than double the 65 recorded the previous year. Direct financial losses reported to the NCSC reached $26.9 million, up from $21.6 million. Q3 2025 alone accounted for $12.4 million in losses, a 118% increase on the previous quarter, with business email compromise driving the increase.

Infostealers are often the first step in attack chains that lead to those numbers.

Stolen credentials fuel business email compromise. An infostealer grabs an employee's email password. The attacker logs in, watches conversations and eventually sends a fake invoice or alters payment details on a real one. The NCSC reported that around $5 million in Q1 2025 losses came from unauthorised money transfers and BEC.

Session cookies bypass MFA. Even with multi-factor authentication in place, infostealers can steal active session cookies from browsers. That lets attackers hijack authenticated sessions without needing a second factor at all. We see this regularly during penetration tests when reviewing how organisations handle session security.

Credential reuse opens doors everywhere. One compromised personal device can expose credentials for corporate email, VPNs, cloud platforms and internal systems. If an employee reuses passwords across services, or if their browser has saved work credentials, a single infection at home can hand an attacker a direct path into the business.

Stolen data enables targeted phishing. Autofill data, browser history and documents harvested by infostealers give attackers the context to craft convincing phishing emails against the victim's employer or colleagues.

Infostealers pave the way for ransomware. Microsoft has observed ransomware threat actors including Octo Tempest (also known as Scattered Spider, a group we have written about previously) using Lumma Stealer in their attack chains. The infostealer provides the initial access. The ransomware follows.


What Can Businesses Do?

The NCSC's advice to individuals after the Lumma Stealer alert focused on running antivirus scans and changing passwords. Sound advice at a personal level, though businesses need to go further.

Enforce credential hygiene. Roll out a password manager across the organisation. Make sure no corporate credentials are being saved in personal browsers. We wrote a practical guide on password managers that walks through how to get this done.

Deploy phishing-resistant MFA. Push notifications and SMS codes are an improvement over passwords alone, though they can still be bypassed by infostealers that capture session cookies, or by MFA fatigue attacks. Hardware security keys (FIDO2/WebAuthn) or certificate-based authentication offer stronger protection. Our article on MFA-fatigue attacks covers this in detail.

Monitor for stolen credentials. Services exist that scan dark web marketplaces and infostealer log dumps for your organisation's domains and credentials. If an employee's credentials show up in a log, you want to know before an attacker puts them to work.

Restrict browser credential storage on corporate devices. Group Policy or MDM settings can prevent browsers from saving passwords. If credentials are never stored in the browser, an infostealer has far less to take.

Segment and limit access. Apply the principle of least privilege so that a compromised login has a limited blast radius. A marketing team member's credentials should not open a path to financial systems or customer databases.

Test your defences. A penetration test simulates how an attacker with stolen credentials or a network foothold would move through your environment. It identifies gaps between what you think is protected and what actually is. That includes testing whether session tokens are properly invalidated, whether lateral movement is possible from a compromised workstation and whether your detection capabilities would catch an attacker using legitimate credentials.


So What Now?

Infostealers are not exotic or niche. They are a commodity, sold cheaply, deployed at scale and already affecting tens of thousands of New Zealanders. The NCSC's December 2025 outreach made that clear.

For businesses, the risk is not limited to whether an employee's personal device gets infected. The real question is what happens after that: compromised credentials used to access corporate systems, redirect payments, steal data or stage a ransomware attack.

The organisations that handle this well tend to share a common approach. They assume compromise will happen and build accordingly. Strong authentication. Credential monitoring. Segmented access. Regular testing to make sure the whole thing holds up when it counts.

 
 
bottom of page