3.3B Stolen Credentials, $5K SilabRAT, North Korean APTs Dominate Week

The latest threat intelligence roundup reveals a staggering expansion of the identity-based attack economy, with Flashpoint reporting that infostealer infections on more than 11.1 million devices last year produced a stockpile of over 3.3 billion stolen credentials, session cookies, and cloud tokens now circulating across illicit markets. The analysis identifies more than 30 unique infostealer strains actively sold through underground forums and marketplaces, with Lumma, Acreed, Rhadamanthys, Vidar, and StealC leading the pack in 2025. India, Brazil, Indonesia, Vietnam, the Philippines, and the United States ranked as the six most affected countries, underscoring the global reach of the modern malware-as-a-service ecosystem. Users can verify whether their credentials have been exposed using an email breach checker and should rotate any compromised passwords immediately.

Adding fuel to the fire, Group-IB has tracked a sophisticated remote access trojan dubbed SilabRAT, advertised on darknet forums since September 2025 by a Russian-speaking actor using the handle "o1oo1." Priced at $5,000 per month, SilabRAT is delivered via ClickFix campaigns using Hijack Loader and is engineered specifically for financial theft. The malware uses Hidden Virtual Network Computing (HVNC) for covert remote control and employs Browser Profile Cloning to replicate a victim's full browser profile—including user agent strings, installed extensions, local storage, and other fingerprinting attributes—directly onto the attacker's system. Because the cloned profile can bypass anti-fraud controls and expose cryptocurrency wallet artifacts, defenders should routinely audit their browser fingerprint test exposure and monitor for unauthorized session replication.

On the nation-state front, CrowdStrike's latest telemetry shows that North Korea's Famous Chollima cluster, the group behind the long-running IT worker and Contagious Interview campaigns, accounted for 47% of all state-sponsored hands-on-keyboard intrusions against the technology sector between April 2025 and March 2026. A single threat actor now drives nearly half of all human-operated operations targeting tech firms, a concentration of activity that highlights both the maturity of North Korean tradecraft and the persistent vulnerability of hiring and remote-work pipelines. Security teams should treat any incoming developer or contractor identity as untrusted by default, enforce strong password checker-validated credentials, and segment access to source repositories, cloud tokens, and production infrastructure.