Curious about the malware that can’t get enough of your valuable data? It’s been dominating the infostealer detection charts this year!
22 Oct 2025
•
,
3 min. read
Hey there! Ever wondered about the persistent threat posed by infostealers in today’s digital landscape? These sneaky malware are designed to silently extract crucial information like login credentials, financial data, and even cryptocurrency details from compromised systems. And guess what? They’re excelling at it!
According to the ESET Threat Report H1 2025, one particular family of infostealers has been outshining the rest in the first half of this year: SnakeStealer.
Unveiling the Threat
Known as MSIL/Spy.Agent.AES by ESET products, SnakeStealer made its debut back in 2019. Initially identified as 404 Keylogger or 404 Crypter in underground forums, it later rebranded itself as SnakeStealer.

In its early stages, SnakeStealer utilized Discord to host its malicious payloads, which victims unknowingly downloaded through malicious email attachments. Although hosting malware on legitimate cloud platforms wasn’t a novel concept, the widespread exploitation of Discord became a signature move for SnakeStealer. The malware gained momentum in 2020 and 2021, spreading globally without a specific regional focus.
While phishing attachments remained the primary delivery method, SnakeStealer disguised its payload in various forms, including password-protected ZIP files, weaponized RTF, ISO, and PDF files, or bundled with other malware. At times, it even lurked within pirated software or fake applications, highlighting that not every breach originates from a malicious email.

The ‘Business Model’ of Malware-as-a-Service
Similar to many contemporary threats, SnakeStealer follows the malware-as-a-service (MaaS) model. Its operators offer access to the malware for rent or sale, complete with technical support and updates, making it convenient for even novice attackers to launch their campaigns.
SnakeStealer’s recent resurgence is no accident. With the decline of Agent Tesla and the loss of developer support, underground Telegram channels began endorsing SnakeStealer as its successor. This, coupled with its MaaS structure and established infrastructure, propelled SnakeStealer to the top of detection charts. In fact, SnakeStealer accounted for nearly one-fifth of global infostealer detections, as per ESET telemetry.

Noteworthy Features
SnakeStealer might not be breaking new ground, but it’s polished, reliable, and easy to deploy. Offering a comprehensive toolkit of capabilities typical of professional info-stealing malware, attackers can toggle features on or off based on their requirements.
- Evasion: SnakeStealer terminates processes linked to security and malware analysis tools to evade detection and checks for virtual environments.
- Persistence: It modifies Windows boot configurations to retain access on compromised systems.
- Credential theft: Extracting saved passwords from web browsers, databases, email and chat clients, including Discord, and Wi-Fi networks.
- Surveillance: Capturing clipboard data, taking screenshots, and logging keystrokes.
- Exfiltration: Sending stolen data via FTP, HTTP, email, or Telegram bots.
Protecting Yourself
Whether you’re an individual user or a business, here are some steps to mitigate the risk posed by infostealers like SnakeStealer:
- Be cautious of unsolicited messages: Approach attachments and links, especially from unknown sources, with skepticism, even if they seem legitimate. Verify them with the sender through alternate channels.
- Keep your system and applications updated: Timely patching of known vulnerabilities reduces the risk of exploitation through software loopholes.
- Enable multi-factor authentication (MFA): Implement MFA wherever possible to thwart unauthorized logins, even if your password is compromised.
- Suspect a compromise? Change all passwords from a clean device, revoke active sessions, and monitor your accounts for any suspicious activity.
- Utilize reputable security software: Install trusted security solutions on all devices, be it desktop or mobile.
Parting Words
SnakeStealer’s ascent serves as a stark reminder of how swiftly the cybercrime market evolves, reflecting the broader reality of today’s threat landscape: the industrialization of cybercrime. This professionalization has made data theft at scale more accessible than ever. With each infostealer’s decline, a successor emerges, armed with familiar tactics. The silver lining? Robust cybersecurity practices play a pivotal role in safeguarding your digital assets.
