SnakeStealer Surges to Become Top Infoste Top Infostealer in H1 2025, Responsible for Nearly One-Fifth of Global Detections
ESET researchers report that SnakeStealer, an infostealer first seen in 2019 in 2019, has become the most detected infostealer in the first half of 2025, accounting for nearly 20% of global infostealer detections.
ESET researchers have identified SnakeStealer as the dominant infostealer threat in the first half of 2025, responsible for nearly one-fifth of all global infostealer detections tracked by ESET telemetry. The malware, detected primarily as MSIL/Spy.Agent.AES, first appeared in 2019 and was originally marketed as 404 Keylogger or 404 Crypter on underground forums before rebranding. Its resurgence follows the decline of Agent Tesla, with underground Telegram channels actively recommending SnakeStealer as its successor.
SnakeStealer operates as a malware-as-a-service (MaaS) platform, with operators renting or selling access to the malware along with technical support and updates. This business model lowers the barrier to entry for low-skilled attackers, enabling them to launch sophisticated campaigns without developing their own tools. The malware's modular design allows attackers to toggle features such as evasion, persistence, credential theft, surveillance, and exfiltration on or off to suit their needs.
Delivery methods vary widely, with phishing attachments remaining the primary vector. The payload may be disguised as may be disguised in password-protected ZIP files, weaponized RTF, ISO, and PDF files, or bundled with other malware. Occasionally, SnakeStealer hides inside pirated software or fake apps, indicating that not every compromise begins with a malicious email. In its early variants, the malware used Discord to host payloads, a tactic that has become a hallmark of its operations.
Once installed, SnakeStealer offers a full toolkit includes the ability to terminate processes associated with security and malware analysis tools and check for virtual environments to evade detection. It alters Windows boot configurations to maintain persistence on compromised systems. The malware extracts saved passwords from web browsers, databases, email and chat clients including Discord, and Wi-Fi networks. It also captures clipboard data, takes screenshots, and logs keystrokes. Stolen data is exfiltrated via FTP, HTTP, email, or Telegram bots.
The rise of SnakeStealer reflects a broader trend in the cybercrime landscape: the industrialization of malware development and distribution. As one infostealer fades, another fills the gap, armed with largely the same tried-and-tested tactics. ESET's findings underscore the importance of strong cybersecurity practices, including skepticism of unsolicited messages, keeping systems and apps updated, enabling multi-factor authentication, and using reputable security software on all devices.
For users who suspect a compromise, ESET recommends changing all passwords from a clean device, revoking open sessions, and monitoring accounts for suspicious activity. The malware's modularity and MaaS model make it a persistent threat, but adherence to basic security hygiene can significantly reduce the risk of infection.