New research by Kaspersky Digital Footprint (DFI) (www.Kaspersky.co.za) has discovered that more than one-third of infostealer infections start when users run files directly from temporary browser folders, showing that user behaviour remains a key factor behind credential theft. Just 32% of infostealer attacks use process injection and living‑off‑the‑land techniques — behaviour typical of advanced malware families.
Kaspersky DFI researchers analysed 5 million infostealer log files discovered on the dark web in 2025. These logs, which contain data stolen from compromised devices such as account credentials, browser cookies and system metadata, also revealed the original locations of malicious files on infected machines.
The most common location was the Windows temporary directory, C:UsersAppDataLocalTemp, which accounted for approximately 35% of all observed cases. This folder is commonly used to store files downloaded from the Internet before they are explicitly saved by a user: a significant share of infections occurs when users directly launch downloaded files, without attackers relying on sophisticated evasion techniques.
The second most common location, responsible for about 32% of cases, was C:WindowsMicrosoft.NETFramework. This path is associated with process injection and living-off-the-land techniques, in which malware abuses legitimate system processes to evade detection. Such behaviour is commonly observed in more advanced infostealer families, including Lumma (https://apo-opa.co/4efwnHn).
The analysis indicates that infections are often linked to two risky user actions: downloading software from untrusted sources and attempting to activate software illegally. In many cases, victims follow instructions provided by threat actors and disable security software before running malicious files. According to the research, many malicious files were disguised as legitimate software installers, activators or game modifications. While game mods remain a common lure, attackers frequently adapt the same techniques to distribute virtually any type of software.
“Infostealers surged (https://apo-opa.co/4oxo3pT) in 2025, with infections rising 59% year over year. Our analysis shows that user behaviour remains a key factor behind many of these compromises. The volume of infostealers executed from temporary download folders suggests that users often launch them immediately after downloading. In many cases, attackers do not need sophisticated techniques, they simply need to convince a user to run a file,” said Sergey Shcherbel, expert at Kaspersky Digital Footprint Intelligence.
Beyond behavioural traits, distinct naming patterns were also observed across infostealer families. Lumma tends to favour generic installer names, .NET obfuscation and process injection. Vidar, in turn, typically appears as Bootstrapper.exe variants relying on conventional loaders. Stealc follows a mixed strategy, using both meaningful names like Licence_Version_Loader.exe and randomly generated filenames. RisePro, by contrast, stands out through recurring conventions such as MPGPH.exe and MSIUpdater.exe.
The full report is available here (https://apo-opa.co/4xE67OE).
To reduce the risk of infostealer infections, Kaspersky recommends businesses do the following:
- Adopt a comprehensive digital risk protection service that monitors organisations’ digital assets and detects threats across the surface, deep and dark web such as Kaspersky Digital Footprint Intelligence (https://DFI.Kaspersky.com/).
- Provide your InfoSec professionals with an in-depth visibility into cyberthreats targeting your organisation. The latest Kaspersky Threat Intelligence (https://apo-opa.co/3SML38o) provides them with rich and meaningful context across the entire incident management cycle and helps them identify cyber risks in a timely manner.
To stay safe users are recommended to:
- Download software only from official and trusted sources, avoiding pirated software, cracks, activators and unofficial installers.
- Use a strong security solution on all computers and mobile devices, such as Kaspersky Premium (https://apo-opa.co/4vUrWrA). It will warn you about potential threats and prevent infection.
- Manage sensitive data securely: avoid storing passwords or recovery phrases in your photo gallery or notes; instead, use a dedicated, trusted password manager such as Kaspersky Password Manager (https://apo-opa.co/4vSYt0Y).
- Never disable antivirus or security tools to install software and exercise caution when downloading game mods, cheats or third-party utilities.
- Keep operating systems and applications updated, use strong, unique passwords and enable multi-factor authentication wherever possible.
Distributed by APO Group on behalf of Kaspersky.
For further information please contact:
Nicole Allman
nicole@inkandco.co.za
Follow us:
Facebook: https://apo-opa.co/4fRBlvi
X: https://apo-opa.co/4oz3aL7
YouTube: https://apo-opa.co/4oAEvpq
Instagram: https://apo-opa.co/4oyNure
Blog: https://apo-opa.co/4vfetKK
About Kaspersky:
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Innovating the industry with a Cyber Immunity approach, Kaspersky safeguards consumers, businesses, critical infrastructure, and governments from cyberthreats, with over a billion devices protected to date. Kaspersky ensures Cybersecurity True to Business, focusing on providing clear outcomes, protecting revenue, easing workloads and preventing downtime. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services for organizations of every size, from small businesses to large enterprises, combining proven AI-driven protection technologies with simple management and expert support. Recognized in independent tests and trusted by millions of individuals worldwide and nearly 200,000 organizations, Kaspersky helps detect threats earlier, respond faster and operate with greater confidence and freedom, protecting what matters most to our clients. Learn more at www.Kaspersky.co.za.
