Infostealer Threat Report, March 2026: Key Figures and Trends from Stealed
In March 2026, Stealed indexed 3.27 billion lines of compromised credentials from infostealer logs, a 14% increase compared to February. This surge is largely attributable to intensified distribution campaigns via Telegram and the emergence of new stealer variants originating from Chinese-language threat actors. This monthly report synthesizes proprietary data collected by our platform to help security teams adjust their monitoring priorities.
How many stolen credentials were detected in March 2026?
Our collection infrastructure processed an average of 108 million new credential lines per day throughout March, with a peak of 142 million on March 17. This peak coincided with the simultaneous publication of several massive archives across Russian-language and Chinese-language Telegram channels.
Across the full month, the data breaks down as follows:
| Indicator | Value | Change vs. February |
|---|---|---|
| Credential lines indexed | 3.27 billion | +14% |
| Unique logs processed | 18.4 million | +9% |
| Distinct root domains affected | 4.1 million | +11% |
| Infected machines identified (HWID) | 6.8 million | +17% |
| Telegram channels monitored | 1,247 | +63 |
| Average daily volume | 108M lines/day | +12% |
The number of infected machines identified by hardware ID (HWID) increased by 17%, indicating a genuine acceleration in the rate of new infections rather than simply a redistribution of older data.
Which infostealer families dominate the landscape in March 2026?
The infostealer ecosystem remains dominated by five families that together account for 87% of the logs collected by Stealed this month. The distribution, however, has shifted notably.
| Family | Log share (March) | Log share (February) | Trend |
|---|---|---|---|
| LummaC2 | 31.4% | 28.7% | Rising |
| RedLine | 22.1% | 24.3% | Declining |
| Raccoon v2 | 15.8% | 16.1% | Stable |
| Vidar | 10.3% | 9.8% | Slightly rising |
| StealC | 7.6% | 5.9% | Sharply rising |
| Other | 12.8% | 15.2% | Declining |
LummaC2 has consolidated its position as market leader for the third consecutive month. Its ability to bypass Chromium cookie encryption protections and its decentralized distribution model make it the tool of choice for high-volume operators. We observed 14 new loader variants during the month.
RedLine, once the dominant family, continues its relative decline. The coordinated law enforcement operation conducted in late 2024 against its infrastructure continues to have lasting effects, though independent forks maintain significant activity.
StealC is the most notable progression of the month, gaining 1.7 percentage points in a single month. Positioned as the technical successor to Vidar, this stealer is gaining popularity thanks to frequent updates and a lower price point than its competitors (approximately $75 per month).
Which countries are most affected by infostealer infections?
The geographic distribution of infected machines, based on IP address analysis within the logs, reveals persistent concentrations in specific regions.
| Rank | Country | Infection share | Change |
|---|---|---|---|
| 1 | India | 14.7% | +1.2 pp |
| 2 | Brazil | 12.3% | +0.8 pp |
| 3 | United States | 11.9% | -0.3 pp |
| 4 | Indonesia | 7.2% | +0.5 pp |
| 5 | France | 5.4% | +0.2 pp |
| 6 | Germany | 4.8% | -0.1 pp |
| 7 | Turkey | 4.1% | +0.4 pp |
| 8 | Mexico | 3.6% | +0.3 pp |
| 9 | Russia | 3.2% | -0.7 pp |
| 10 | Vietnam | 2.9% | +0.1 pp |
India and Brazil remain at the top of the rankings, driven by rapidly growing device fleets, widespread use of pirated software, and still-limited EDR adoption on workstations.
The United States holds third place with 11.9% of infections. For US-based organizations, this translates to approximately 809,000 compromised machines in March alone, a substantial number of which are identifiable as corporate endpoints through their enterprise domain names.
Russia’s decline in the rankings (-0.7 percentage points) is explained by the more systematic deployment of geofencing mechanisms in newer stealer variants, confirming that many operators explicitly protect machines located in CIS countries.
Which industries are most heavily targeted?
By cross-referencing compromised domains with industry classification databases, Stealed identifies the sectors most represented in March’s log data.
Finance and banking (22.3% of targeted domains). The financial sector remains the primary target. Credentials linked to online banking portals, trading platforms, and payment services are the most valued on cybercriminal marketplaces. We identified compromised credentials affecting 73% of the 50 largest European banks.
Technology and SaaS (18.7%). Access to cloud administration consoles (AWS, Azure, GCP), development tools (GitHub, GitLab, Jira), and SaaS platforms represents a constantly growing category. A single log containing session tokens for a production cloud environment can grant unauthorized access to an organization’s entire infrastructure.
Healthcare (11.2%). Healthcare organizations are particularly vulnerable due to aging IT infrastructure and still-low adoption of multi-factor authentication on line-of-business systems. Stolen healthcare data commands premium prices on dark web markets.
Education and research (8.9%). Universities and research institutions are disproportionately affected, primarily because student populations make heavy use of pirated software and personal device security policies are often nonexistent.
What new distribution trends are emerging?
Two major trends stand out from the March 2026 data.
Telegram as the dominant distribution channel
Telegram has established itself as the primary distribution channel for infostealer logs, surpassing traditional dark web forums. In March, 68% of new data collected by Stealed came from Telegram channels, up from 54% in December 2025.
This migration is driven by several factors: speed of dissemination, lack of effective moderation, the ability to create ephemeral channels, and automation through Telegram bots that allow buyers to search for and purchase specific logs in real time. The business model is evolving toward subscription-based access, with some channels offering monthly plans between $200 and $500 for unlimited access to fresh logs.
To understand how these stolen credentials are then compiled and weaponized, see our article on combo lists and credential stuffing.
The emergence of Chinese-language stealers
A significant trend observed since January 2026 is the appearance of stealer families developed by Chinese-speaking threat actors. Historically dominated by Russian-speaking developers, the infostealer ecosystem is now seeing projects documented in Mandarin, distributed through Chinese-language forums and messaging applications.
In March, we identified three new stealer families (provisionally designated JADE-01, JADE-02, and JADE-03) with distinct characteristics: specific targeting of Chinese browsers (QQ Browser, 360 Browser, Sogou), exfiltration to infrastructure hosted in Southeast Asia, and obfuscation techniques that differ from those typically observed in Russian-language stealers. These families still represent less than 2% of total volume, but their growth trajectory warrants close monitoring.
What should security teams do now?
Based on the March 2026 data, Stealed offers the following recommendations for security teams.
Prioritize credential exposure monitoring. Prevention alone is no longer sufficient. With 108 million new credential lines indexed every day, the probability that someone in your organization has been compromised increases every week. A real-time monitoring solution is now essential.
Strengthen defenses against LummaC2. Update EDR signatures to detect the latest LummaC2 variants. Watch for characteristic behaviors: abnormal access to Chromium browser profile files, network communications to algorithmically generated domains (DGA), and process execution from temporary directories.
Audit cloud environment access. The growth of SaaS and cloud credentials in stolen logs makes regular auditing of session tokens, API keys, and admin console access indispensable. Reduce session lifetimes and enable alerts for logins from unusual locations.
Educate users on distribution vectors. Distribution campaigns through YouTube (fake crack tutorials), Discord (attachments in gaming servers), and Telegram (fake applications) remain the primary infection vectors. Targeted awareness campaigns for the most exposed user populations significantly reduce risk.
Start monitoring your domains. Create a Stealed account to monitor your domains in real time for appearances in infostealer logs. Our platform detects and indexes leaks within minutes of publication, allowing you to respond before credentials are exploited.
Methodology
This report is based on data collected and indexed by the Stealed platform between March 1 and March 28, 2026. The figures presented reflect unique credential volumes detected across monitored sources (Telegram channels, cybercriminal forums, dark web marketplaces). Stealer family identification relies on log structure analysis, metadata inspection, and characteristic signatures of each family. Geographic data is extracted from IP addresses present in the logs. Industry percentages are calculated by cross-referencing compromised root domains with industry classification databases.
The next Stealed threat report will be published in early May 2026.
Co-founder & CEO
CEO and co-founder of Stealed, Jason brings business vision and offensive security expertise to drive the threat detection strategy.
Protect your credentials with Stealed
Detect your credential leaks in real time. Let's discuss your needs during a demo.
Book a demo