How to remediate infostealer infections: A step-by-step guide for security teams

When a new infostealer infection appears on your Hadrian dashboard, it means that sensitive data is already in the hands of cybercriminals. Security teams must respond to a compromised device in a fast and structured manner. This guide explains what an infostealer does, what it means for your organization's security, and how to respond effectively—step by step.

What is an infostealer?

An infostealer is a type of malware specifically designed to harvest sensitive information from an infected device. Unlike ransomware, which makes its presence known by locking files or demanding payment, infostealers operate silently in the background. Their goal is to exfiltrate as much data as possible without detection, which includes:

• Usernames and passwords stored in browsers or password managers
• Session cookies that allow account access without credentials (bypassing MFA)
• System information, including OS version, IP address, location, and browser version
• File contents from targeted directories (e.g., Desktop, Downloads)
• Screenshots of active windows and sessions
• Browser autofill data (e.g., addresses, credit card info)

Once stolen, this data can be abused immediately to gain access to corporate accounts, impersonate employees, or move laterally across systems. The stolen data is often sold on dark web marketplaces by Initial Access Brokers (IABs), who specialize in selling access to compromised systems. These credentials are then purchased by other cybercriminal groups—often as a first step toward deploying ransomware or launching further attacks.

How security teams should respond

If there's evidence that an infostealer has exfiltrated data that could be used to target your organization, you should take immediate action. In Hadrian’s Verified Risk section, you can monitor for compromised data associated with your environment. The alerts are linked to your organization's email domains and URLs, and reveals:

1. Credentials stolen from corporate devices
2. Credentials taken from unmanaged bring-your-own-device (BYOD) used by employees
3. Credentials used by third parties (e.g. contractors or partners) that were used to access your systems

Monitoring unmanaged devices is critical—according to Verizon’s 2025 Data Breach Investigations Report, 46% of systems with compromised corporate credentials infected by infostealers were unmanaged.

The following five steps should be taken when an infostealer infection is detected or suspected. 

Step 1: Revoke access

Both the user’s credentials and device could be used by a cybercriminal to gain access to the corporate systems. It is therefore important to take action at both the user account and device levels:

1. Disable the user’s access to internal systems and networks - only re-enable them once the remaining four steps have been completed.
2. Terminate all active sessions and invalidate session tokens to prevent stolen session tokens from being used to gain access without a password.

Note: Complete an audit of all of the user’s accounts, not just those centrally managed through Identify Access Management (IAM) tools. Verify that access has been revoked for VPN, HR tools, financial systems and any non-centrally managed tool.

Step 2: Investigate for abuse

Once access has been revoked it is important to verify that the threat actor has not been able to gain access to corporate systems. It is possible that they could have established persistence and have established other methods to access the corporate network. Review the following for signs of compromise:

1. Logins from unfamiliar IPs or devices
2. Activity at unusual hours or locations
3. Unusual access of sensitive files or systems
4. Large file transfers or copying of confidential data

Note: If there are signs of suspicious activity a forensic investigation should be launched to determine the full extent of the attack.

Step 3: Remove infostealer malware

Infostealer malware will continue to extract data from infected devices, so it’s essential to fully clean the device before restoring access—otherwise, any new credentials entered will also be stolen. The cleanup process will follow one of two approaches, depending on the management type of device involved:

1. Managed devices: The IT team should take control of the device and ensure that it is fully cleaned and scanned to confirm that it is safe for use again.
2. Unmanaged devices: These could be user’s personal devices or third party’s devices, in both cases you will need to guide them from the cleaning process.

Note: When users are notified that their personal device is infected with an infostealer, it means both their work credentials and personal sensitive information have likely been stolen. Provide them support and clear instructions to aid them through this process, a three part has been outlined below.

Step 4: Reset passwords and enforce MFA

Once the device has been cleaned the user’s access can be restored. Any passwords stored on the device should be considered compromised and should be reset. To improve security additional steps can be implemented if they are not in place:

1. Setup a password manager for the user so that they can securely manage their passwords.
2. Where possible, enforce multi-factor authentication (MFA) for all services.

Step 5: Evaluate and harden your environment

With the incident contained, steps should be taken to prevent future infections. These steps should consist of an investigation into the infostealer incident and recommendations for improvements.

The investigation should aim to answer the following questions:

1. Was the confidentiality, integrity and availability of data within the organization impacted by the infection?
2. What was the potential impact of the infection had it not been detected and remediated?
3. Are there preventative measures that could be implemented to prevent future infostealer infections?

Possible improvements to mitigate infostealer infections:

1. Prevent access of corporate networks from unmanaged devices.
2. Require third parties to use managed devices when accessing your systems.
3. Shorten session token durations to limit the impact of potential future attacks.
4. Raise employee awareness by launching awareness campaigns about infostealers.
5. Monitor the dark web for stolen corporate credentials to identify potential infections.

Actions to take if a personal device is infected

If a user’s personal device is infected by infostealer malware the following three part plan should be followed to help them limit the impact and prevent further damage. IT teams are encouraged to support the users where possible as it can be a stressful and complicated process.

Users should be made aware of the fact that infostealers are malware that is designed to evade detection and steal sensitive information from their device, including both work and personal data. They should avoid using the device until the following have been completed:

Part 1: Resetting all of their passwords

From a secure device, users should change their passwords, starting with their email, password manager, financial accounts, cloud services, and social media. If services support it, users should force logout of all sessions so attackers can no longer access them.

Note: Infostealers may have also stolen files stored on the device, such as passport photos, their browser history, and captured screenshots while the device was being used. Additional steps may need to be taken by the user based on their stored files or device usage. They are outlined further in Part 3 of this guide.

Part 2: Removing the malware

The device should be cleaned before it can be used again to prevent the attacker from stealing credentials again. There are two main options:

1. Install a trusted antivirus solution, such as Sophos Home, to detect and remove infostealer malware. Many antivirus solutions struggle to detect infostealers and are therefore infective at removing the malware.
2. Perform a factory reset to remove all installed programs, including the infostealer. Although, this method guarantees the infostealer malware is removed it can also result in the loss of all local files. Some operating systems allow users to keep their files while performing a reset. Windows users can use the “Cloud download” with the “Keep my files” option to keep their files while resetting their device.

Note: Devices could have been infected for a period time before it was detected, therefore users should not restore their device from old backups unless you are sure they are clean. 

Part 3: Limiting further damage

Users should notify their bank and close contacts about the infection. If the infected device was used for online banking, users should review their accounts for any suspicious activity, and contact their bank if there are suspicious logins or payments. Close contacts may have been sent suspicious links or files, intended to spread the infection to them, they should make sure to avoid these.

Note: Cybercriminals often continue to target users even after an initial infostealer infection. Using stolen personal information, they can craft highly convincing follow-up attacks that are harder to detect. To reduce the risk of further compromise, users should use a password manager, enable multi-factor authentication (MFA) where possible, and keep their devices up to date by turning on automatic system updates.

‍

‍

‍