Quarterly threat report: Q4 2025 — info-stealers and the new BYOD file-share problem

We publish a threat report every quarter because the threat landscape does not pause between annual reviews, and because our customers deserve specifics rather than industry-average platitudes. Q4 2025 had a clear dominant theme: info-stealer malware families targeting BYOD endpoints, with stolen browser sessions being weaponized against vendor portals and file-transfer workspaces within hours of compromise. This is the operational picture we actually observed in SEND-SECURELY.COM telemetry and in the incident reports our customers’ security teams shared with us.

The info-stealer landscape in Q4 2025

Two families drove the majority of what we tracked: Lumma Stealer and RedLine. Both are commodity infostealer tools available through malware-as-a-service distribution channels; neither is novel. What was notable in Q4 was the operational shift in how the stolen data was being utilized.

Lumma Stealer, distributed primarily via malvertising and trojanized software packages, is well-documented for harvesting browser-stored credentials, session cookies, and saved form data. In Q4 we observed Lumma-harvested session data appearing in credential marketplaces with unusually specific B2B portal tags — the sellers were doing the work of identifying which stolen sessions corresponded to vendor portal access, and pricing those sessions separately from consumer account access. The premium for tagged B2B portal sessions is a market signal: there are buyers who specifically want access to business file-transfer and vendor-portal environments, not just consumer email and banking.

RedLine, the older and more widely distributed family, continued its normal operational pattern — bulk credential harvesting with less curation. What changed in Q4 was the downstream use: a higher proportion of RedLine-harvested sessions were being used against B2B file-transfer contexts rather than the retail fraud targets that historically dominated RedLine-derived campaigns.

The common thread is the targeting of browser session cookies rather than passwords. Modern authentication stacks — SSO, MFA, OAuth — are designed to prevent password replay. They are not, by default, designed to detect session cookie replay from a different device or geographic location. A stolen authenticated session cookie bypasses the MFA that protected the original login. The attacker inherits the session, not the credentials, and the session was already authenticated.

How stolen browser sessions reach vendor portals

The operational pipeline from endpoint compromise to vendor portal access is worth tracing in detail, because understanding each step suggests where controls can intervene.

Endpoint compromise. On BYOD endpoints, infostealers enter via the channels that corporate device management can’t fully control: personal software installations, browser extensions, downloads from personal storage. The security posture of a BYOD endpoint is not equivalent to a managed corporate device, and employees who use personal laptops for work — including accessing file-transfer portals from their personal browsers — expose those sessions to the full threat surface of unmanaged consumer hardware.

Session data exfiltration. The stealer harvests browser storage — cookies, session tokens, saved credentials, autofill data — and transmits it to the attacker’s collection infrastructure, typically within minutes of execution. This data includes authentication cookies for any web application the victim has logged into from that browser.

Triage and deployment. Stolen sessions are triaged by the operator: high-value B2B portal sessions are identified, packaged, and used or sold within hours. The window between endpoint compromise and malicious use of the harvested session is frequently shorter than the victim’s organization has any technical means to detect, particularly on unmanaged endpoints where EDR is absent.

Session replay against portal. The attacker loads the stolen session cookie into a browser through readily available tooling and authenticates to the vendor portal as the victim. From the portal’s perspective, this looks like a legitimate session continuation. The user already authenticated correctly at login; the attacker is replaying that authenticated state.

The browser vulnerability CVE-2023-4863, a critical heap buffer overflow in the WebP image codec affecting Chromium-based browsers, illustrates the underlying exposure. A user who hadn’t patched their browser could be compromised through a maliciously crafted image on any page they visited — no phishing required, no user error beyond running an unpatched browser. On an unmanaged BYOD endpoint, the patch timeline is entirely outside the enterprise’s control.

Defensive controls that work

The controls with measured impact on Q4 incident rates, in order of effect:

Device-bound credentials and WebAuthn. The most structurally important defense against session cookie theft is making the authentication credential non-exportable. FIDO2/WebAuthn passkeys are device-bound by design: the private key never leaves the authenticator, and the authentication ceremony requires presence of the original device. A session initiated via WebAuthn cannot be replayed from a different device regardless of what session cookies the attacker has obtained, because the credential that authenticated the session is not a transferable token — it is a cryptographic operation on hardware the attacker does not possess.

For vendor portal deployments, requiring WebAuthn at the recipient authentication step removes the session-replay attack surface entirely for sessions that were WebAuthn-initiated. This is operationally more complex than TOTP for external recipients, but for high-sensitivity portals it is the correct control.

Conditional access based on device compliance. For internal users accessing file-transfer interfaces from corporate-managed devices, device compliance gating is a meaningful layer. If the session originates from a device that fails MDM compliance checks — no EDR, outdated OS, unmanaged configuration — a step-up authentication requirement or access block prevents session replay even when a stolen cookie is presented. The attacker replaying a stolen session from unmanaged infrastructure will fail the device compliance check that the legitimate user’s managed device would pass.

This doesn’t help for external vendor recipients on BYOD, but it substantially reduces the exposure surface for the internal half of file-transfer workflows.

Session anomaly detection. Short of device-bound credentials, session anomaly detection — flagging sessions that exhibit behavioral discontinuity — catches a meaningful fraction of session replay. A session that authenticated from a corporate IP in Chicago and then makes requests from a residential proxy in a different geographic region 20 minutes later is anomalous. Detecting and acting on this signal requires correlating session source IP against authentication event IP and flagging geographic or ASN discontinuities. We tuned this in Q4 and saw it catch a meaningful share of session replay attempts that earlier configurations missed.

Short session lifetimes. Stolen session cookies are most useful when they don’t expire. Session tokens with 30-minute lifetimes and inactivity timeouts limit the window of exploitation from a stolen session to the period between theft and the next natural expiration. This creates friction for legitimate users in low-activity workflows, so session lifetime decisions require balancing security against usability — but for high-sensitivity portals, aggressive session expiry is worth the tradeoff.

BYOD access policy review. The hardest control to enforce but the most structurally important for organizations facing BYOD exposure: a clear, enforceable policy on which resources BYOD endpoints may access. If a vendor portal contains PHI or financial records, requiring managed device access is defensible from both a security and a compliance posture. We recognize this is operationally difficult for external vendor recipients who use personal devices by default; the practical answer is a combination of recipient MFA requirements and session anomaly detection rather than mandating device management for external parties.

What we’re seeing into Q1 2026

The info-stealer infrastructure active in Q4 has not gone quiet. Into Q1 2026 we are tracking two emerging patterns.

First, we are seeing a shift in info-stealer targeting toward cloud-native credentials: OAuth tokens, API keys, and cloud console session cookies, not just web application credentials. The attack surface has expanded as more regulated workflows move to cloud-delivered file transfer. The controls that apply to browser session cookies apply equally to these token types, but the detection logic differs and organizations that built their detection rules around browser session replay may not have adapted them for cloud API credential theft.

Second, we are observing early signs of AI-assisted session triage: the curation of stolen session data to identify high-value targets is being accelerated by automated tooling that classifies portal types and estimates access value without human review. The time between infostealer execution and deployment of stolen sessions against target portals is compressing. That compression reduces the window in which detection and revocation can intervene, making preventive controls — device-bound credentials, device compliance gating — more important relative to detective controls.

Our recommendation going into Q1: audit the authentication configuration on every externally accessible portal your organization operates. Specifically verify that WebAuthn is available (and preferred) for authentication, that session lifetimes are capped at a defensible value, and that session anomaly alerts are configured and monitored. If your BYOD access policy doesn’t address file-transfer portal access, update it.