Password managers under increasing threat as infostealers triple and adapt

Security watchers warn of a three-fold increase in malware that targets credential stores, such as password managers and browser-stored login data.

The study by Picus Security, which was based on analysis of 1 million real-world malware samples, also found that 93% of all malicious actions mapped to just 10 MITRE ATT&CK techniques.

Password store security trade-offs

Password stores are secure repositories designed to manage and protect sensitive authentication data, including usernames, passwords, encryption keys, and other credentials. Stores come in various forms, tailored to use cases and resident operating systems.

The main types of password stores include Keychain (for macOS and iOS), built-in password managers in browsers such as Chrome and Firefox, Windows Credential Manager, and dedicated password managers such as LastPass, 1Password, and Bitwarden. The category also includes cloud secrets management stores, like AWS Secrets Manager and Azure Key Vault, and caches and memory of third-party software.

Password stores aim to enhance security by providing encrypted storage and convenient access to credentials, reducing the risk of password reuse and simplifying the management of multiple complex passwords. Unfortunately, the centralized nature also makes them attractive targets for cybercriminals who target them through various strains of malware.

Malware-as-a-service infostealers

For example, RedLine Stealer is specifically designed to target and steal sensitive information, including credentials stored in web browsers and other applications. It is often distributed through phishing emails or by tricking prospective marks into visiting booby-trapped websites laced with malicious downloaders.

Another threat comes from Lumma Stealer, offered for sale as a malware-as-a-service, and used by criminals to targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system.

Substantial increases in infostealer malware use was also reported in 2022, but Dr. Suleyman Ozarslan, Picus Security co-founder and VP of Picus Labs, told CSO that this recent three-fold increase in malware targeting password stores represents a significant shift in adversarial focus and tactics.

Newer operating systems have implemented robust defenses against traditional credential dumping techniques, such as those targeting LSASS (Local Security Authority Subsystem Service) memory and Security Account Manager — forcing cybercriminals to switch up their tactics.

“As operating systems implement stronger defenses against traditional credential dumping techniques, attackers are adapting their tactics to focus on less-protected targets like password stores,” Dr. Ozarslan said.

Password store attacks typically require fewer specialized privileges; often, the malware just needs user-level access to scrape or export data.

Password reuse across multiple accounts, including password managers, allows attackers to leverage credentials stolen from one breach to attempt access to other services through so-called credential stuffing attacks.

Cybercriminals feast on credential theft

Stolen credentials from password stores often include not just domain logins, but also credentials for financial, administrative, and strategic cloud services.

Chris Morgan, senior cyber threat intelligence analyst at threat intel firm ReliaQuest, said that credential theft remains one of the most common methods used by threat actors — largely because it continues to work.

“Endemic security failings across most sectors persist, leaving the door wide open for exploitation,” Morgan said.

ReliaQuest collections reveal a greater than 50% increase in infostealer logs — containing harvested credential pairs — posted on the dark web in 2024 compared to 2023. During the same period, initial access listings on cybercriminal platforms surged by 142%.

This surge in available credentials has empowered initial access brokers (IABs) to deliver quick, low-effort access to privileged systems at scale.

Among the 2024 incidents analyzed by ReliaQuest, 50% involved the use of valid or exposed credentials for initial access.

“The consequences are staggering: 66% of customer ransomware incidents in 2024 stemmed from initial access likely purchased from an IAB, underscoring how stolen credentials are paving the way for ransomware attacks,” Morgan said. “While not all of these incidents are related to the targeting of credential stores, these findings highlight the growing role of infostealing malware in facilitating cybercrime, cementing its place as a key enabler of large-scale attacks.”

Matt Berzinski, senior director at Ping Identity, told CSO that credential store attacks are surging because they offer threat actors a massive return on investment.

“For threat actors, gaining access to a password manager is like hitting the jackpot,” Berzinski said. “Picus Security’s findings reflect a broader trend: Attackers increasingly target browser-stored logins and stolen credentials from the dark web, then reuse those passwords across multiple sites to gain access.”

Berzinski added: “Once they’re in a credential store, they can move laterally to gain more intelligence — a hacker’s playground.”

Attack automation allowing attackers to hack at scale

Attacks against credential stories are rising partly because these attacks have become easier and more automated, with widely available tools enabling cybercriminals to extract and exploit credentials at scale. In addition, “many businesses still rely on passwords as their primary defense, despite the known security risks, due to challenges around MFA [multi-factor authentication] adoption and user friction,” Berzinski said.

David Sancho, senior threat researcher at anti-malware vendor Trend Micro, told CSO that the increase in malware targeting credential stores is unsurprising.

“We are definitely seeing a rise in malware targeting credential stores, but this is hardly a surprise to anybody,” Sancho said. “Credential stores are where credentials are located, specifically on the browser. Every time you let the browser ‘memorize’ a user/password pair, it gets stored somewhere. Those locations are certainly the prime targets — and have been for a long time — for infostealers.”

Darren Guccione, CEO and co-founder of password manager vendor Keeper Security, acknowledged that cybercriminals were targeting credential stores but argued that some applications were better protected than others.

“Not all password managers are created equal, and that distinction is critical as cybercriminals increasingly target a broad range of cybersecurity solutions, including credential stores,” Guccione said. “Some password managers offer airtight protection with zero-trust architecture and encryption that even the provider cannot access, while others leave sensitive data more vulnerable to malware and breaches.”

Best practice advice

Enterprise security managers should look to deploy more secure password manager technologies that offer zero-knowledge encryption, ensuring only the end user can access stored credentials. Users should seek products with full end-to-end encryption, with encryption and decryption of data always occurring locally on the user’s device.

Organizations should also implement privileged access management (PAM) to enforce least-privilege access and monitor privileged accounts in real-time.

“Even the most secure password manager requires user diligence to ensure it is properly protected — the use of a strong, unique master password and multi-factor authentication (MFA) are essential,” Guccione said. “Features like device verification further protect against password-stuffing attacks.”