Threat Actors Using $10 Infostealer Malware to Compromise US Security

A recent cybersecurity investigation has unveiled a troubling reality: U.S. military personnel and employees of major defense contractors, including Lockheed Martin, Boeing, and Honeywell, have been compromised by infostealer malware.

This inexpensive yet potent cyberweapon, available for as little as $10 per infected device on underground marketplaces, has exposed critical credentials, including access to classified systems and sensitive infrastructure.

Among the compromised entities are high-ranking personnel from the U.S. Army, Navy, FBI, and Government Accountability Office (GAO).

These infections have jeopardized VPN credentials, email systems, multi-factor authentication (MFA) session cookies, and even classified procurement portals.

The implications extend beyond individual organizations to the broader national security apparatus.

How Infostealers Operate: A Silent Threat

Unlike traditional hacking methods that rely on brute force or exploitation of vulnerabilities, infostealers operate stealthily.

They infiltrate systems when users inadvertently download malicious files such as game modifications or pirated software and exfiltrate sensitive data.

This includes stored passwords, session cookies, autofill data, and even internal documents.

The stolen data is then sold on cybercrime marketplaces.

For instance, credentials linked to “army.mil” or “fbi.gov” domains have been discovered for sale at shockingly low prices.

These logs often include active session cookies that allow attackers to bypass MFA protections entirely.

Hudson Rock’s analysis revealed that over 30 million computers globally have been infected by infostealers.

Alarmingly, 20% of these devices contained corporate credentials, many belonging to employees in critical sectors like defense and government.

Case Studies: Honeywell and the U.S. Navy

The scale of the breaches is exemplified by two notable cases:

1. Honeywell: Nearly 400 employees at this defense contractor were infected by infostealers, exposing credentials for internal systems such as SharePoint and SAP portals. One infected engineer alone had access to 56 corporate systems and 45 third-party integrations. This breach not only threatens Honeywell but also its supply chain partners like SpaceX and Palantir.
2. U.S. Navy: Credentials from 30 Navy personnel were leaked, including access to platforms like Confluence and Citrix. This raises concerns about potential lateral movement within military networks by adversaries seeking to exploit these vulnerabilities.

These incidents underscore a systemic issue within the U.S. defense sector’s cybersecurity framework.

Even organizations with robust security measures remain vulnerable due to third-party risks introduced by compromised vendors or partners.

The breaches highlight how infostealers transform unsuspecting employees into insider threats by exposing their digital footprints.

Experts warn that this is just the beginning of a larger cybersecurity crisis unless proactive measures are adopted.

Enhanced monitoring for malware infections and stricter cybersecurity hygiene are critical for mitigating these risks in the future.

The revelations serve as a stark reminder: in today’s interconnected digital landscape, no organization, no matter how secure, is immune from compromise.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here