Infostealers and the documents on your laptop

If you had to name the category of malware most likely to affect an ordinary person in any given year, it would not be ransomware; it would be infostealers. They are cheap to buy on criminal marketplaces, easy to distribute, and pay a reliable return. Unlike ransomware, which is dramatic but rarer, infostealers work at scale on everyday home machines and everyday small businesses.

And — the reason this article lives on a site about documents — infostealers are very interested in the files on your laptop.

What an infostealer actually does

A typical infostealer, once it runs, performs a series of quick, well-rehearsed tasks and then exits:

1. Enumerates browser data — passwords stored in Chrome, Edge, Firefox, Safari, Brave; cookies; credit card autofill data; browser history; saved form values.
2. Reads cryptocurrency wallet files — Exodus, Electrum, MetaMask extensions, hardware-wallet companion apps.
3. Grabs documents — anything matching a broad set of extensions (.docx, .xlsx, .pdf, .txt, .rtf, .csv) in common locations (Documents, Desktop, Downloads, OneDrive folders, iCloud Drive folders).
4. Takes screenshots of every monitor.
5. Lists installed applications and running processes.
6. Reads specific files known to contain secrets — SSH keys, AWS credentials, password manager vault files, Discord tokens, Telegram session files, VPN configurations.
7. Uploads all of this as a single bundle to a command-and-control server.
8. Self-deletes to avoid detection.

The whole thing runs in seconds. Many infostealers do not establish persistence; they grab what they can and leave.

The stolen data then enters a supply chain. “Logs” (the bundles) are sold on marketplaces, filtered by value (crypto wallet? corporate credentials? high-balance bank accounts?), and processed by the buyers for further use: session cookies replayed to bypass MFA, corporate VPN credentials used to pivot into internal networks, crypto drained, documents held for extortion.

How infections happen

The infection vectors have been remarkably stable:

• Cracked software. “Free” copies of paid applications, games, or Photoshop, downloaded from forums and torrent sites. The “crack” is often the infostealer.
• Fake installers. Malicious ads (malvertising) on search engines for things like “OBS Studio”, “7-Zip”, “Notion” leading to lookalike sites that serve a legitimate-looking installer bundled with infostealer.
• YouTube video descriptions. Videos for game cheats, software cracks, or “free Adobe” often link to password-protected ZIPs containing infostealer.
• Phishing emails — invoice attachments, tax documents, job-offer PDFs, shipment-tracking files. Common in small businesses.
• Compromised browser extensions. A legitimate extension is sold to a new owner, who updates it to include malicious code. The update installs silently.
• Supply-chain attacks on software developers — rarer for ordinary users, but a consistent theme.

Why documents are a prize

From an attacker’s perspective, documents on your laptop are often more valuable than the files you keep in a cloud account, because your laptop has:

• Drafts and working copies that are not on the cloud yet.
• Client correspondence with attachments.
• Tax returns, identification documents, medical records that you keep on disk for safety and don’t upload.
• Intellectual property you haven’t published.
• Saved copies of things you deleted from email (forwarded, archived PDFs).

For a small business, stolen documents can enable business email compromise: an attacker who has invoices, templates, bank details, and correspondence can write very convincing follow-up emails to redirect real payments. These scams have cost businesses billions. The document-theft step is the one that enables them.

Defenses, in order of leverage

1. Don’t download software from dodgy places

The single largest cause of infostealer infections on home machines is someone downloading cracked software, a game cheat, a pirated-media player, or an official-looking but fake installer from a search-engine ad.

• Install software from the vendor’s official site or the OS app store.
• Be skeptical of sponsored search results for software names; they are one of the most common infostealer vectors.
• For common utilities, use a trustworthy package manager (winget, Homebrew, apt, Chocolatey) that vouches for the downloads.

This one habit removes the majority of infostealer exposure for home users.

2. Use a real password manager, not the browser’s built-in one

Browsers store passwords in a way that is trivially readable by malware running as your user. A real password manager (1Password, Bitwarden, KeePassXC) keeps its vault encrypted with a key that is not on disk when the vault is locked. Infostealers grab the browser’s password store; the password manager’s vault is a stronger target.

Turn off the browser’s password manager (Settings → Passwords) and let your real password manager handle it.

3. Keep browsers, OS, and extensions patched

Infostealers sometimes chain together with browser exploits to get in without the user doing anything. A patched browser removes that class of attack. Auto-update is your friend.

Review browser extensions quarterly and remove any you don’t actively use; each extension is a trust channel.

4. Use two-factor authentication resistant to cookie theft

Infostealers grab session cookies, which many sites accept as proof of login even after an MFA challenge. Replaying a stolen cookie bypasses TOTP-based MFA in many cases.

The fix is phishing-resistant authentication — hardware security keys (WebAuthn/FIDO2) that are bound to the device, not a cookie. Modern browsers and most big providers support them.

5. Keep sensitive documents in a locked vault

Files on your desktop and in your Documents folder are available to any malware running as your user. Files inside a locked encrypted container are not — they are opaque ciphertext until you unlock them.

The practical technique:

• Put sensitive files in a Cryptomator vault or a VeraCrypt container that is normally locked.
• Only unlock when you actively need access.
• Lock it again when you’re done.

An infostealer that runs while the vault is locked sees encrypted blobs. While it is unlocked, it’s as exposed as any other file — but the window of exposure is much narrower than “always, all the time”.

6. A browser profile just for sensitive work

A dedicated browser (or browser profile) that you use only for banking, tax, and other high-value sites — with no extensions, no password manager sync to ordinary-work browsers, and no casual browsing — limits what an infostealer grabbing “browser data” can return.

7. Have a plan for “what if I got hit”

If you realize (or suspect) your machine was infected:

1. Assume browser cookies and saved passwords are gone. Rotate them. Sign out of every active session on every important account.
2. Assume recently-opened documents were exfiltrated. Notify anyone affected.
3. Reinstall the OS on the infected machine; do not just run an antivirus. Infostealers often drop additional payloads.
4. Review authorized devices on every cloud account and remove unfamiliar ones.
5. Enable hardware-key MFA where you hadn’t already.

Infostealers are boring in a way that makes them dangerous. Most victims are not targeted; they downloaded a cracked copy of a program to save thirty dollars, and the crack was the malware. A handful of habits and structural choices — real password manager, hardware keys, locked document vault, patched browser — lifts you out of the bulk-victim pool into “not worth the effort”.

The companion article on ransomware from the documents perspective covers the related, louder threat.