Commentary: Infostealer malware hits military & defense contractors

Infostealer malware grants adversaries direct access to stolen credentials from the U.S. military and defense sectors, significantly accelerating what is often the most challenging phases of a cyber operation: initial access or privilege escalation. Adversaries typically spend extensive time harvesting valid credentials—often triggering detection alerts through brute-force attempts, phishing campaigns, or remote code execution against exposed assets. However, enabled with Infostealer malware, attackers can gain direct access targeted pre-compromised authentication methods, bypassing the need for their teams to conduct initial access operations themselves.

More critically, some of these credentials lead to high-value internal platforms like Bitbucket, Jira, Confluence, or other DevOps and collaboration tools. Access to these platforms not only provides insight into an organization's infrastructure but often reveals further access to privileged accounts, facilitating lateral movement toward the operation's objective. Attackers can rapidly identify sensitive repositories, exploit stored credentials or API keys, and pivot toward critical systems.

Adversaries can now bypass lengthy reconnaissance and initial access phases while reducing their chances of triggering initial security alerts or tippers. This Infostealer-enabled attack chain makes the job of network defenders substantially more difficult, as adversaries would be leveraging valid accounts, likely increasing their dwell time on the network. Longer dwell times provide attackers greater opportunities to exfiltrate data, establish persistence, and further escalate privileges, significantly amplifying the risk.