The way it preys on private knowledge – and methods to keep secure

Right here’s what to know in regards to the malware with an insatiable urge for food for invaluable knowledge, a lot in order that it tops this yr’s infostealer detection charts

22 Oct 2025
•
,
3 min. learn

SnakeStealer: How it preys on personal data – and how you can protect yourself

Infostealers stay some of the persistent threats on at the moment’s risk panorama. They’re constructed to quietly siphon off invaluable data, usually login credentials and monetary and cryptocurrency particulars, from compromised programs and ship it to adversaries. And so they accomplish that with nice success.

ESET researchers have tracked quite a few campaigns just lately the place an infostealer was the ultimate payload. Agent Tesla, Lumma Stealer, FormBook and HoudRAT proceed to make the rounds in giant numbers, however in response to the ESET Risk Report H1 2025, one household surged forward of the remainder within the first half of this yr: SnakeStealer.

A risk is born

Detected by ESET merchandise primarily as MSIL/Spy.Agent.AES, SnakeStealer first appeared in 2019. Early experiences traced it to a risk initially marketed as 404 Keylogger or 404 Crypter on underground boards earlier than it rebranded beneath its present title.

snake-stealer-infostealer-robo-contrasenas — *Determine 1. One of many first ads for 404 Keylogger (supply: habr.com)*

In its early variants, SnakeStealer used Discord to host its payloads, which victims unwittingly downloaded after opening a malicious e-mail attachment. Whereas internet hosting malware on reliable cloud platforms wasn’t new, the widespread abuse of Discord quickly turned a trademark tactic. SnakeStealer reached its first huge wave of exercise in 2020 and 2021, spreading globally with none clear regional focus.

In the meantime, the supply strategies different. Phishing attachments nonetheless stay the first vector, however the payload itself could also be disguised in varied types, together with password-protected ZIP information, weaponized RTF, ISO and PDF information, and even bundled with different malware. Often, SnakeStealer hides inside pirated software program or faux apps, which speaks to the truth that not each compromise begins with a malicious e-mail.

snake-stealer-infostealer-robo-contrasenas2 — *Determine 2. Hashes associated to SnakeStealer, reported by yr. (supply: MalwareBazaar)*

Malware-as-a-service: A worthwhile ‘enterprise mannequin’

Like many different fashionable threats, SnakeStealer follows the malware-as-a-service (MaaS) mannequin. Its operators hire or promote entry to the malware, full with technical assist and updates, which makes it straightforward for even low-skilled attackers to launch their very own campaigns.

SnakeStealer’s latest resurgence is not any coincidence. After Agent Tesla started to say no and lose developer assist, underground Telegram channels began recommending SnakeStealer as its successor. This endorsement, mixed with the comfort of its MaaS setup and its ready-made infrastructure, propelled SnakeStealer to the highest of detection charts, a lot in order that SnakeStealer was just lately accountable for nearly one-fifth of world infostealer detections as tracked by ESET telemetry.

Figure 3. SnakeStealer topping detection charts — *Determine 3. SnakeStealer topping detection charts (supply: ESET Risk Report H1 2025)*

Key options

SnakeStealer could not break new floor, however it’s polished, dependable, and straightforward to deploy. It affords a full toolkit of capabilities that’s typical of professional-grade info-stealing malware, and given its modularity, attackers can change options on or off to go well with their wants.

Evasion: As a way to keep beneath the radar, SnakeStealer can terminate processes related to safety and malware evaluation instruments and verify for digital environments.
Persistence: It alters Home windows boot configurations to keep up entry on compromised programs.
Credential theft: It extracts saved passwords from internet browsers, databases, e-mail and chat purchasers, together with Discord, and Wi-Fi networks.
Surveillance: It captures clipboard knowledge, takes screenshots and logs keystrokes.
Exfiltration: It sends stolen knowledge through FTP, HTTP, e-mail, or Telegram bots.

Methods to shield your self

Whether or not you’re a person person or a enterprise, these steps might help cut back the chance towards infostealers like SnakeStealer:

Be skeptical of unsolicited messages. Deal with attachments and hyperlinks, particularly from unknown senders, as potential threats, even when they seem reliable. Confirm them with the sender via different channels.
Hold your system and apps up to date. Patching identified vulnerabilities in a well timed method reduces the chance of compromise stemming from software program loopholes.
Allow multi-factor authentication (MFA) wherever doable. Even when your password is stolen, MFA can cease unauthorized logins.
Should you suspect a compromise: change all passwords from a clear gadget, revoke open classes, and monitor your accounts for suspicious exercise.
Use respected safety software program on all units, desktop and cell alike.

Last ideas

SnakeStealer’s rise is a reminder of how shortly the cybercrime market adapts and as such displays a bigger fact about at the moment’s risk panorama: cybercrime has industrialized. This professionalization makes it simpler than ever for anybody to steal knowledge at scale. And as one infostealer fades, one other fills the hole, armed with largely the identical tried-and-tested ways. The excellent news is that sturdy cybersecurity practices will go a great distance in direction of retaining you secure.