Kaspersky: 35% of Infostealer Infections Begin With Users Running Files Directly From Temporary Folders

Kaspersky announced that new research by Kaspersky Digital Footprint has discovered that more than one-third of infostealer infections start when users run files directly from temporary browser folders, showing that user behavior remains a key factor behind credential theft. Just 32% of infostealer attacks use process injection and living off the land techniques — behavior typical of advanced malware families.

Kaspersky DFI researchers analyzed 5 million infostealer log files discovered on the dark web in 2025. These logs, which contain data stolen from compromised devices such as account credentials, browser cookies and system metadata, also revealed the original locations of malicious files on infected machines.

The most common location was the Windows temporary directory, C:\Users\AppData\Local\Temp\, which accounted for approximately 35% of all observed cases. This folder is commonly used to store files downloaded from the internet before they are explicitly saved by a user: a significant share of infections occurs when users directly launch downloaded files, without attackers relying on sophisticated evasion techniques. 

The second most common location, responsible for about 32% of cases, was C:\Windows\Microsoft.NET\Framework\. This path is associated with process injection and living-off-the-land techniques, in which malware abuses legitimate system processes to evade detection. Such behavior is commonly observed in more advanced infostealer families, including Lumma.

The analysis indicates that infections are often linked to two risky user actions: downloading software from untrusted sources and attempting to activate software illegally. In many cases, victims follow instructions provided by threat actors and disable security software before running malicious files. According to the research, many malicious files were disguised as legitimate software installers, activators or game modifications. While game mods remain a common lure, attackers frequently adapt the same techniques to distribute virtually any type of software.

"Infostealers surged in 2025, with infections rising 59% year over year. Our analysis shows that user behavior remains a key factor behind many of these compromises. The volume of infostealers executed from temporary download folders, suggests that users often launch them immediately after downloading. In many cases, attackers do not need sophisticated techniques, they simply need to convince a user to run a file," said Sergey Shcherbel, expert at Kaspersky Digital Footprint Intelligence.

Beyond behavioural traits, distinct naming patterns were also observed across infostealer families. Lumma tends to favour generic installer names, .NET obfuscation and process injection. Vidar, in turn, typically appears as Bootstrapper.exe variants relying on conventional loaders. Stealc follows a mixed strategy, using both meaningful names like Licence_Version_Loader.exe and randomly generated filenames. RisePro, by contrast, stands out through recurring conventions such as MPGPH.exe and MSIUpdater.exe

Source: Kaspersky media announcement