Stealer malware doesn’t just steal passwords. In 2025, they steal live sessions and attackers are moving faster and more efficiently than ever before.
Many associate accounts have personal services, but the actual threats are being deployed in businesses. Flare’s latest research, Accounts and Session Takeover Economy, analyzed over 20 million steeler logs and tracked attacker activity across telegram channels and the dark web marketplace. The findings reveal how cybercriminals hijack infected employee endpoints into enterprise sessions.
This is the real timeline of modern session hijacking attacks.
Infection and data theft within an hour
When a victim executes a malicious payload, it is typically disguised as cracked software, fake updates, or phishing attachments. Stolen items such as Red Line (44% of logs), Raccoon (25%) and lummac2 (18%) will be taken over.
These malware kits:
Extract browser cookies, stored credentials, session tokens, crypto wallets, and send over 16 million logs alone to 10 telegram channels within minutes, automatically remove bots or command and control servers that supply 10 telegram channels sorted by session type, location, and app automatically to telegram bots or command and control servers
Session Token: New Currency
Within hours, cybercriminals sift through stolen data and focus on high-value session tokens.
44% of logs contain Microsoft session data 20% includes 5% or more Google sessions that expose tokens from AWS, Azure, or GCP cloud services
Using the Telegram Bot command, an attacker filters the logs by geography, application, and privilege level. The marketplace list includes browser fingerprint data and off-the-shelf login scripts that bypass MFA.
The prices of stolen sessions vary widely, with consumer accounts typically selling for $5 to $20, while enterprise-level AWS or Microsoft sessions can get over $1,200.
Full account access within hours
When session tokens are purchased, the attacker imports them into the detection anti-tect browser and gains seamless access to the business-critical platform without triggering MFA or login alerts.
This does not mean that your personal account is being misused. It’s about attackers getting into the corporate environment.
Access business emails such as Microsoft 365 or Gmail and enter internal tools such as Slack, Confluence, or the admin dashboard.
Flare analyzed one steeler log, including live and ready-to-use access to Gmail, Slack, Microsoft 365, Dropbox, AWS, and PayPal. The wrong hands can escalate this level of session access to a serious violation within hours.
Why is this important: The scale of the threat
This is not an outlier. This is a large, industrialized underground market that allows ransomware gangs, scammers and spy groups.
Millions of valid sessions have been stolen, weekly tokens are being sold active for several days, allowing permanent access session hijacking MFA, and many organizations have blinded violations
These attacks do not result from violations at Microsoft, Google, AWS, or any other service provider. Instead, they come from individual users infected with Stealer Malware. This quietly removes your credentials and live session tokens. Attackers can leverage this user-level access to impersonate employees, steal data, and escalate privileges.
According to Verizon’s 2025 DBIR, 88% of violations are related to stolen credentials, highlighting how the central identity-based attack turned out.
If the stolen password or login attempt is simply unsuccessful, the biggest attack vector is missing.
How to protect your organization
Session tokens are just as important as passwords and require a new defensive mindset.
Cancel all active sessions immediately after endpoint compromise. Don’t stop attackers by resetting your password alone monitor network traffic in your Telegram domain. Using Key Exfiltration Channel Browser Fingerprint and Anomaly Detection Flags the use of suspicious sessions from unknown devices or locations
Adapting defenses to this new reality is essential to stop fast-moving threat actors.
Dive deeper with flare
Our full report covers:
The most common malware families used in attacks are: Telegram bots and detailed token pricing with screenshots of access types in market lists, practical recommendations for detection and response
Start a free trial and explore the extensive dataset yourself. Search millions of steeler logs, identify exposed sessions, and go ahead with attackers.
Read the full report | Start a free trial
Note: This article is skillfully written and contributed by Eric Clay, who has experience in governance, risk and compliance, security data analysis and security research. He currently serves as the CMO for Flare, a threat exposure management SaaS solution.
Source link
