Threat Actors Use Infostealers to Turn Legitimate Businesses into Malware Hosts

This report details a sophisticated campaign where cybercriminals leverage infostealer malware to compromise legitimate businesses, transforming them into unwitting hosts for malware distribution, with detections noted on January 3, 2026.

Campaign Overview

Cybercriminals have initiated a multi-stage operation targeting small to medium-sized enterprises, primarily in e-commerce and SaaS sectors. The attack begins with the deployment of advanced infostealer variants, such as refined versions of RedLine and Raccoon, which harvest credentials, session tokens, and API keys from infected endpoints. These stolen assets grant attackers persistent access to business infrastructures, enabling them to pivot from reconnaissance to weaponization.

Technical Mechanics of Infostealer Deployment

Infostealers are delivered via phishing lures disguised as software updates or invoice attachments, exploiting unpatched vulnerabilities in browsers and email clients. Once executed, the malware employs process hollowing to evade endpoint detection and response tools, injecting payloads into legitimate processes like explorer.exe. Data exfiltration occurs over encrypted DNS tunnels, masking C2 communications as routine domain queries. Extracted credentials are then auctioned on underground forums or directly utilized for lateral movement.

Transformation into Malware Hosts

With administrative access secured, attackers modify server configurations to host secondary malware payloads, including downloaders for ransomware affiliates and botnet components. Compromised websites are injected with malicious JavaScript that redirects visitors based on geolocation and user-agent profiling, serving exploit kits like Magnitude or RIG. Server-side scripts, often in PHP or Node.js, are altered to propagate infostealers further, creating a self-sustaining ecosystem where infected businesses inadvertently propagate the threat.

Deep Technical Analysis: Obfuscation and Persistence

Payloads feature multi-layer obfuscation using tools like ConfuserEx for .NET binaries and custom packers for JavaScript. Persistence is achieved through scheduled tasks mimicking system maintenance and registry run keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Behavioral analysis reveals dynamic API resolution to bypass static signatures, with anti-analysis checks detecting virtualized environments via CPUID instructions and timing discrepancies.

Mitigation Strategies

Organizations should implement credential hygiene practices, including just-in-time access and multi-factor authentication for all accounts. Deploying browser sandboxing and script blockers thwarts initial infections. Network segmentation limits lateral movement, while anomaly detection on DNS traffic identifies exfiltration. Regular code audits of web applications and server hardening via principle of least privilege are essential to prevent hosting abuse.