What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

The $100 Skeleton Key: How the Infostealer → IAB → Ransomware Pipeline Works — and How to Break It | Lyrie Research

← Defensive-Playbook

0 sources verified·13 min read

By Lyrie.ai Senior Analyst Desk·5/10/2026

TL;DR

The entire ransomware economy now runs on a three-stage conveyor belt: infostealer malware harvests credentials and session cookies for as little as $100/month; Initial Access Brokers (IABs) sort, price, and resell that access in underground markets; ransomware affiliates buy in and deploy within hours. The credential is the breach — responsible for 22% of confirmed incidents and 88% of web-application attacks according to Verizon's DBIR. Standard MFA doesn't stop it because Remus, LummaC2, and their kin steal live session tokens that were already past the authentication checkpoint. This playbook dissects each stage of the pipeline and prescribes the specific controls that actually interrupt it.

Background: The Credential Economy in 2026

Passwords were always a weak link. In 2026 they're barely a link at all. The underground market has matured to the point where harvesting credentials is an industrialized, subscription-based service — and defenders are still responding to a threat that looked fundamentally different five years ago.

The numbers are staggering. SpyCloud's 2026 Identity Exposure Report documented 65.7 billion distinct identity records in its recaptured datalake — a 23% year-over-year increase — representing 8.6 billion stolen session cookies and 642.4 million individual credentials extracted from 13.2 million confirmed infostealer infections during 2025 alone. Recorded Future's Identity Threat Landscape Report logged 1.95 billion malware combo-list credential exposures across the same period, with 276 million of those credentials arriving with active session tokens capable of bypassing multi-factor authentication entirely.

On the cost side: IBM's 2025 Cost of a Data Breach Report valued a compromised-credential incident at USD $4.67 million with a 246-day mean time-to-identify-and-contain — the worst of any initial access category. Yet the attacker's entry fee to cause that damage is laughably low. A LummaC2 subscription runs between $100 and $1,024 per month. A RedLine license is comparable. The asymmetry is not closing.

Meanwhile, on the buy side of the pipeline, Chainalysis confirmed that IABs collected at least USD $14 million in traceable on-chain payments in 2025 against a total ransomware on-chain payment pool of $820 million — a ratio that suggests brokered access underpins a meaningful fraction of every major ransomware deployment. Average IAB listing prices sit around $2,700 for commodity enterprise access; verified domain-admin credentials in mature organizations routinely fetch over $113,000.

Stage 1 — The Harvest: How Infostealers Operate in 2026

The infostealer ecosystem has gone through a significant evolution. The classic RedLine/Raccoon model — cheap, commodity, noisy — gave way to more sophisticated families capable of defeating browser-level protections that defenders thought were improving the landscape.

Lumma and the App-Bound Encryption Wars

When Google introduced Application-Bound Encryption (ABE) for Chromium-based browsers in 2024, there was brief optimism that session cookie theft would become significantly harder. ABE binds encrypted cookies to the application's identity, requiring elevation to decrypt. The infostealer ecosystem responded within months.

Lumma Stealer developed a bypass that resolved CryptUnprotectMemory via export hashing against dpapi.dll, then scanned the target browser's DLL for a specific opcode pattern leading to the os_crypt_async::Encryptor vtable where the protected key resides. Rather than defeating ABE's encryption directly, the technique exploits the fact that the browser itself must be able to decrypt, so the key is always retrievable in-process.

Remus, documented in early 2026 by Gen Threat Labs, is a 64-bit evolution of the Lumma codebase — confirmed by overlapping string obfuscation (mixed Boolean-arithmetic stack-built string decryption), matching anti-VM cpuid checks against VMware/VirtualBox/KVM/Xen, identical hash-based Windows API resolution against ntdll.dll, and shared ChaCha20 C2 configuration layout. Remus adds EtherHiding-based C2 resolution, resolving command-and-control infrastructure via on-chain blockchain lookups rather than traditional DNS, making sinkholing far more difficult. Analysts trace Remus activity to shortly after Lumma's core operators were publicly identified between August and October 2025, suggesting a deliberate rebrand or code split by surviving developers.

The operational impact: Remus successfully extracts passwords, session cookies, crypto wallet keys, and clipboard data from current Chrome, Edge, and Brave installations — including on endpoints with browser integrity enforcement enabled.

The Session Cookie Problem

Google's response in April 2026 was the public launch of Device Bound Session Credentials (DBSC), now available for Windows on Chrome 146 with macOS support forthcoming. DBSC cryptographically binds authentication sessions to a specific device using hardware-backed security — TPM on Windows, Secure Enclave on macOS — generating a non-exportable public/private key pair. Short-lived session cookies are re-issued only after Chrome proves possession of the corresponding private key, meaning an exfiltrated cookie is useless on any device other than the one that generated it.

DBSC is a genuine architectural improvement. Google has observed a measurable reduction in session theft for protected sessions since its phased rollout. The limitation: DBSC requires both client (Chrome 146+) and server (dedicated registration and refresh endpoints) to be updated. In 2026, enterprise fleet standardization and third-party SaaS support mean the majority of enterprise sessions are not yet protected by DBSC. Defenders cannot rely on it as a universal control for the near term.

What infostealers actually harvest in 2026:

Browser-stored username/password pairs (all major browsers, all profiles)
Session cookies with httpOnly, Secure, and SameSite flags (stolen at file-system level, bypassing JavaScript restrictions)
OAuth refresh tokens cached by Electron apps and native clients
MFA TOTP seeds stored in browser extensions
AWS/Azure/GCP CLI credential files (~/.aws/credentials, ~/.azure, gcloud configs)
SSH private keys from ~/.ssh/
Crypto wallet seed phrases and private keys
Password manager vaults (decrypted in-memory during export)
Clipboard content at the moment of infection (useful for catching paste-in credentials)

Delivery Vectors

Infostealer campaigns in 2026 rely on a diversified set of delivery mechanisms:

Malvertising: Sponsored search ads for software downloads (VS Code, Zoom, VPN clients, game mods) serving signed malicious installers
GitHub-hosted loaders: Malicious repos with fake README stars and pinned releases serving stager executables
Phishing-as-a-Service: Pre-packaged campaigns with Microsoft 365 lure pages and real-time relay proxies that strip MFA tokens before forwarding victims to legitimate destinations
Cracked software and game cheats: Persistent high-volume vector; the demographic overlap with employee personal devices is significant
YouTube/TikTok comment drops: Links to "cracked" software with comment-boosted legitimacy signals

Stage 2 — The Broker: IAB Market Mechanics

After harvest, logs are typically pushed to Telegram channels or dark web markets within hours. The IAB layer transforms raw credential dumps into actionable enterprise access.

How brokers add value:

1. Verification: Testing credentials against target VPNs, Citrix portals, and admin panels to confirm active sessions

2. Enrichment: Correlating against LinkedIn/GitHub to identify privilege level, department, and organizational position of the account holder

3. Pricing: Tiered by access level — RDP/VPN sessions in commodity orgs start at a few hundred dollars; verified domain admin in a critical infrastructure org crosses six figures

4. Escrow and dispute resolution: Established markets offer guarantees, with refunds if access expires before the buyer can use it

Timeline: from infostealer infection to IAB listing, independent analysts have documented timelines as short as 48 hours. From IAB listing to ransomware deployment, timelines of 24–72 hours are common for active buyers. The 246-day IBM MTTI+C figure reflects how long the victim takes to discover and remediate — not how long the attacker takes to act.

Stage 3 — Ransomware Affiliate Execution

Ransomware-as-a-Service (RaaS) affiliates are the buyers at the end of the pipeline. They acquire validated access from IABs, conduct rapid internal reconnaissance (increasingly automated via toolkits like Cobalt Strike beacons, Brute Ratel, and custom EDR-bypass loaders), escalate privilege, move laterally, stage exfiltration, and deploy ransomware — typically achieving domain-wide encryption within 24 hours of initial access on unprepared networks.

The pipeline is why ransomware response is increasingly moving left: by the time the encryption phase fires, the attacker has already had domain admin for 18+ hours, exfiltrated data to a staging server, and disabled backup agents on every host they touched.

IOCs and Detection Signatures

Infostealer Indicators (Remus/Lumma family, May 2026)

Network (C2 resolution)

Remus uses EtherHiding: watch for DNS/HTTPS requests to Ethereum RPC endpoints (cloudflare-eth.com, eth.llamarpc.com, rpc.ankr.com) from unexpected processes (browsers, injected system utilities)
C2 domains tend to be freshly registered (<30 days), hosting at bulletproof hosting ASNs (AS58061/Frantech, AS59253/Lir LLC, AS40065/CNSERVERS)

Host (behavioral)

dpapi.dll loaded by non-standard parent processes
CryptUnprotectMemory calls originating from injected threads in browser processes
Browser user data directories (%LOCALAPPDATA%\Google\Chrome\User Data\Default) accessed by non-browser processes
%APPDATA%\...\Roaming staging directories with randomly named executables exhibiting high entropy (>7.0 Shannon entropy)
Anti-VM CPUID checks at leaf 0x40000000
ChaCha20 decryption signatures in memory of newly spawned processes

Stealer Log Pipeline Indicators

Outbound HTTPS POST to Telegram Bot API endpoints (api.telegram.org) from non-Telegram processes
Large multipart uploads to file-sharing services (gofile.io, filebin.net, anonfiles mirrors) from browser processes
Clipboard-monitoring SetClipboardViewer/AddClipboardFormatListener calls in non-productivity apps

IAB Market Fingerprints

Look for logins from ASNs associated with residential proxy networks (AS714/Apple iCloud Relay, Mullvad, ProtonVPN, Bright Data residential ranges) to critical admin interfaces — particularly to CISOs/IT admins' Okta, Azure AD, or Duo portals
Watch for account authentications from new geographic locations within 6 hours of a known-good authentication from a different continent (implausible travel detection)

The Lyrie Take

The infostealer-to-IAB pipeline represents a structural vulnerability in enterprise security architecture that no single product solves. The problem is that identity verification was designed to gatekeep at login, but infostealers harvest credentials after a successful login — exporting a proof of identity that is valid, session-bound, and effectively impossible to distinguish from the legitimate user on most network detection systems.

The market pricing tells the strategic story: a $100/month malware subscription can unlock a $113,000 IAB listing that enables a $4.67 million breach. The ROI math for attackers is grotesquely favorable. The only way to change it is to make stolen credentials operationally worthless — not just harder to steal.

DBSC, passkeys, and hardware-bound sessions represent the correct long-term direction. But in 2026, the transition window is years long. The defender's job is to build compensating controls that detect abuse of legitimate sessions — treating post-authentication behavior as a distinct threat surface, not an extension of the authentication perimeter.

Defender Playbook: 12 Controls That Break the Pipeline

Tier 1 — Reduce the Harvest Surface

Control 1: Enforce Managed Device Posture at Every Authentication Gate

Personal devices are the infostealer's primary infection surface. Every VPN, Citrix, and SaaS SSO entry point should enforce device compliance via MDM certificate (Intune, Jamf) as a hard prerequisite for session issuance. A valid credential from an unmanaged device should be treated as compromise signal, not access grant.

Control 2: Deploy DBSC-Ready Session Architecture Now

If you control web properties, add DBSC registration and refresh endpoint support proactively. Chrome 146 delivers the client side. Web application teams should begin testing DBSC enrollment flows today — the feature is opt-in and backward-compatible. For SaaS estates, pressure vendors on DBSC support timelines.

Control 3: Migrate High-Privilege Accounts to Hardware FIDO2

TOTP-based MFA does not stop infostealers that harvest TOTP seeds from browser extensions. Physical FIDO2 keys (YubiKey, Google Titan) store the private key in hardware and require physical presence for each authentication. Target at minimum: all IT administrators, security team, finance, and executive accounts. The deployment cost is orders of magnitude below the $113,000 average IAB price for admin access.

Control 4: Credential Isolation — No Browser-Based Secret Storage

Browser-saved passwords are the lowest-hanging fruit for every infostealer family. Enforce enterprise password manager adoption (1Password, Dashlane Teams) with policies that block native browser credential saving via endpoint policy. Separately, mandate that cloud CLI tools (AWS, Azure, GCP) use temporary session tokens via SSO rather than long-lived credential files in home directories.

Tier 2 — Detect Active Session Abuse

Control 5: Session Anomaly Detection on Every Identity Provider

Build or enable detections that flag:

Simultaneous active sessions for the same account from different IP families (ISP vs. residential proxy)
Rapid geographic displacement (same session authenticated from Dubai, then from a Hostinger VPS in the Netherlands 4 minutes later)
Session token age outliers (tokens that remain valid significantly longer than your configured timeout suggest stolen and replayed tokens)

Most enterprise identity providers (Okta, Entra ID, Ping) surface the raw events; the gap is in the detection logic.

Control 6: Continuous Dark Web and Stealer-Log Monitoring

Stealer logs for your domains hit Telegram and dark web markets within 48 hours of infection. Services from SpyCloud, Recorded Future Identity, and Flare continuously ingest these markets and alert on credential exposure before an IAB buyer can act. The window between log posting and IAB listing is the defender's best intervention opportunity. This is not a "nice to have" in 2026 — it's the most direct way to catch compromises the endpoint missed.

Control 7: Impossible Travel and Device Trust Scoring at the Network Layer

Supplement identity-provider detections with network-layer signals. SASE/SSE platforms (Zscaler, Netskope, Palo Alto Prisma) can correlate authentication context with network telemetry to build device trust scores that dynamically step up authentication or restrict session scope based on behavioral anomaly. A session that authenticated cleanly but is now accessing sensitive SharePoint libraries at 3 AM from a new IP should trigger re-authentication and analyst alert, not silent approval.

Control 8: Privileged Access Workstations (PAWs) with No Lateral Internet Exposure

Domain admin, Azure AD global admin, and critical infrastructure accounts should authenticate only from hardened PAWs that have no internet access and no browser-based workflows. Infostealers require internet egress to exfiltrate. A PAW without internet egress produces logs that stay on the network; a stolen credential with a session bound to that PAW's hardware attestation (via Entra ID WHFB or smart card) cannot be replayed from an attacker's machine.

Tier 3 — Reduce Ransomware Blast Radius

Control 9: Tiered Network Segmentation with Identity-Aware Micro-Perimeters

The infostealer pipeline only converts to ransomware when the attacker can move laterally from the compromised endpoint to high-value targets. Implement identity-aware micro-segmentation that treats east-west access requests as untrusted: every internal service request requires a valid identity claim, and service-to-service trust is explicitly defined rather than implicitly inherited from network zone membership.

Control 10: Immutable Backup Architecture with Air-Gap and MFA-Protected Recovery

Ransomware affiliates disable backup agents as a standard step. Backup systems that are reachable from the production domain under standard credentials will be destroyed. Requirements: 3-2-1-1 (3 copies, 2 media, 1 offsite, 1 offline), recovery account credentials stored in hardware-backed HSM or offline vault, recovery flow tested quarterly (not just backup completion), and backup agents running as a separate, non-domain identity that production accounts cannot enumerate or disable.

Control 11: EDR with Memory Protection and Behavioral DPAPI Monitoring

Commodity EDR configured for signature detection alone will not catch Remus or future Lumma variants. Ensure your EDR solution has:

Memory protection with process injection detection (targeting CryptUnprotectMemory abuse by injected threads)
Browser data-directory access controls (alert on non-browser processes reading User Data\Default paths)
Network telemetry to detect Telegram Bot API exfiltration patterns

CrowdStrike Falcon, SentinelOne Singularity, and Microsoft Defender for Endpoint all ship relevant behavioral detections — but defaults need tuning for this specific class.

Control 12: Infostealer-Aware Employee Security Training

The most effective infostealer delivery vectors — malvertising for popular software, cracked tools, fake game mods — target employees' personal browsing behavior, often on personal or BYOD devices that then sync cloud credentials into corporate workflows. Training content needs to be updated to reflect the actual threat: it's not "don't click phishing emails" anymore, it's "the software you downloaded on your personal laptop may have already stolen your work Google account session." Specific modules: recognizing sponsored search ads for software downloads, safe software sourcing, and what to do if you suspect infostealer infection (immediately change all cloud credentials from a different, clean device).

Sources

1. Verizon 2025 Data Breach Investigations Report — https://www.verizon.com/business/resources/reports/2025-dbir-data-breach-investigations-report.pdf

2. SpyCloud 2026 Annual Identity Exposure Report — https://spycloud.com/blog/2026-annual-identity-exposure-report/

3. Recorded Future 2025 Identity Threat Landscape Report — https://www.recordedfuture.com/blog/identity-trend-report-march-blog

4. IBM Cost of a Data Breach Report 2025 — https://www.ibm.com/reports/data-breach

5. Gen Threat Labs — Remus: 64-bit Variant of Lumma Stealer (2026) — https://www.gendigital.com/blog/insights/research/remus-64bit-variant-of-lumma-stealer

6. GBHackers — "Remus Infostealer Adopts Lumma-Style Browser Key Theft to Bypass App-Bound Encryption" (May 2026) — https://gbhackers.com/remus-infostealer-adopts-lumma/

7. Google Security Blog — "Protecting Cookies with Device Bound Session Credentials" (April 2026) — https://security.googleblog.com/2026/04/protecting-cookies-with-device-bound.html

8. Check Point Blog — "World Password Day 2026: Why 'Strong Passwords' Can't Save You" (May 2026) — https://blog.checkpoint.com/security/world-password-day-2026-why-strong-passwords-cant-save-you-from-ai-infostealers-and-the-telegram-underground/

9. Stingrai Research — "Compromised Credential Statistics 2026" (May 2026) — https://www.stingrai.io/blog/compromised-credential-statistics-2026

10. Chainalysis 2026 Crypto Crime Report (IAB on-chain payments) — https://www.chainalysis.com/reports/crypto-crime-report-2026/

11. Purple-Ops Ransomware Activity Tracker 2026 — https://purple-ops.io/blog/ransomware-tracker-2026

12. ENISA Threat Landscape 2025 — https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025

Lyrie.ai Cyber Research Division — Senior Analyst Desk