New research by Kaspersky Digital Footprint (DFI) has discovered that more than one-third of infostealer infections start when users run files directly from temporary browser folders, showing that user behavior remains a key factor behind credential theft. Just 32% of infostealer attacks use process injection and living off the land techniques — behavior typical of advanced malware families.
Kaspersky DFI researchers analyzed 5 million infostealer log files discovered on the dark web in 2025. These logs, which contain data stolen from compromised devices such as account credentials, browser cookies and system metadata, also revealed the original locations of malicious files on infected machines.
The most common location was the Windows temporary directory, C:\Users\AppData\Local\Temp\, which accounted for approximately 35% of all observed cases. This folder is commonly used to store files downloaded from the internet before they are explicitly saved by a user: a significant share of infections occurs when users directly launch downloaded files, without attackers relying on sophisticated evasion techniques.
The second most common location, responsible for about 32% of cases, was C:\Windows\Microsoft.NET\Framework\. This path is associated with process injection and living-off-the-land techniques, in which malware abuses legitimate system processes to evade detection. Such behavior is commonly observed in more advanced infostealer families, including Lumma.
The analysis indicates that infections are often linked to two risky user actions: downloading software from untrusted sources and attempting to activate software illegally. In many cases, victims follow instructions provided by threat actors and disable security software before running malicious files. According to the research, many malicious files were disguised as legitimate software installers, activators or game modifications. While game mods remain a common lure, attackers frequently adapt the same techniques to distribute virtually any type of software.
"Infostealers surged in 2025, with infections rising 59% year over year. Our analysis shows that user behavior remains a key factor behind many of these compromises. The volume of infostealers executed from temporary download folders, suggests that users often launch them immediately after downloading. In many cases, attackers do not need sophisticated techniques, they simply need to convince a user to run a file," said Sergey Shcherbel, expert at Kaspersky Digital Footprint Intelligence.
Beyond behavioural traits, distinct naming patterns were also observed across infostealer families. Lumma tends to favour generic installer names, .NET obfuscation and process injection. Vidar, in turn, typically appears as Bootstrapper.exe variants relying on conventional loaders. Stealc follows a mixed strategy, using both meaningful names like Licence_Version_Loader.exe and randomly generated filenames. RisePro, by contrast, stands out through recurring conventions such as MPGPH.exe and MSIUpdater.exe
The full report is available here.
To reduce the risk of infostealer infections, Kaspersky recommends businesses do the following:
Adopt a comprehensive digital risk protection service that monitors organizations' digital assets and detects threats across the surface, deep and dark web such as Kaspersky Digital Footprint Intelligence.
Provide your InfoSec professionals with an in-depth visibility into cyberthreats targeting your organization. The latest Kaspersky Threat Intelligence provides them with rich and meaningful context across the entire incident management cycle and helps them identify cyber risks in a timely manner.
To stay safe users are recommended to:
Download software only from official and trusted sources, avoiding pirated software, cracks, activators and unofficial installers.
Use a strong security solution on all computers and mobile devices, such as Kaspersky Premium. It will warn you about potential threats and prevent infection.
Manage sensitive data securely: avoid storing passwords or recovery phrases in your photo gallery or notes; instead, use a dedicated, trusted password manager such as Kaspersky Password Manager.
Never disable antivirus or security tools to install software and exercise caution when downloading game mods, cheats or third-party utilities.
Keep operating systems and applications updated, use strong, unique passwords and enable multi-factor authentication wherever possible.
