Islamabad (GNP): New research from Kaspersky Digital Footprint Intelligence (DFI) has found that more than a third of infostealer infections trace back to users running files straight out of temporary browser folders — a finding that points to user behavior, not just malware sophistication, as a major driver of credential theft. By comparison, only about 32% of these attacks relied on process injection or living-off-the-land techniques typically associated with more advanced malware.
The findings come from an analysis of five million infostealer log files that Kaspersky DFI researchers found circulating on the dark web in 2025. These logs — which typically contain stolen account credentials, browser cookies, and system metadata pulled from compromised devices — also recorded where the malicious files originally sat on each infected machine.
The single most common location was the Windows temporary directory (C:\Users\AppData\Local\Temp), accounting for roughly 35% of cases observed. Since this folder is where browsers typically stash files before a user explicitly saves them elsewhere, the pattern suggests a large share of infections happen simply because people open downloaded files directly, without attackers needing to deploy any advanced evasion methods.
The second-most common location, tied to about 32% of cases, was C:\Windows\Microsoft.NET\Framework\ — a path associated with process injection and living-off-the-land tactics, where malware hijacks legitimate system processes to slip past detection. This pattern shows up more often in sophisticated infostealer strains, Lumma among them.
According to the research, infections tend to cluster around two risky habits: downloading software from unverified sources and trying to illegally activate paid software. Researchers also found that victims often followed instructions from the attackers themselves, including disabling security software before running the malicious file. Many of the files were disguised as ordinary software installers, activation tools, or game modifications — and while game mods remain a popular lure, the same tactics get reused to push almost any kind of software.
Kaspersky DFI expert Sergey Shcherbel noted that infostealer infections jumped 59% year-over-year in 2025, and attributed much of that growth to user behavior rather than technical sophistication on the attackers’ part — pointing out that since so many infections originate in temporary download folders, victims appear to be opening files almost immediately after downloading them, meaning attackers often just need to talk someone into running a file rather than rely on advanced techniques.
To cut down on infostealer risk, Kaspersky is advising businesses to adopt a full digital risk protection service — such as its own Digital Footprint Intelligence offering — capable of monitoring an organization’s digital footprint and spotting threats across the surface, deep, and dark web. The company says its Threat Intelligence service gives security teams the visibility and context they need throughout the incident management process to catch cyber risks early.
Also Read: Samsung Unveils 3D Stacked FET Tech for Next-Gen Chips
For individual users, Kaspersky’s recommendations include downloading software only from official, trusted sources and steering clear of pirated software, cracks, and unofficial installers; running a reliable security solution — such as Kaspersky Premium — on every computer and mobile device to catch threats before infection; keeping sensitive data like passwords and recovery phrases out of photo galleries or notes apps and instead storing them in a dedicated password manager (Kaspersky Password Manager, for instance); never turning off antivirus or security tools to install software; and being cautious with game mods, cheats, and other third-party utilities.
Sohail Majeed is a Special Correspondent at The Diplomatic Insight. He has twelve plus years of experience in journalism & reporting. He covers International Affairs, Diplomacy, UN, Sports, Climate Change, Economy, Technology, and Health.
