Bottom line: 35 percent of infostealer infections are triggered by downloads from browser temp folders because users execute downloaded files without verification.
A Kaspersky analysis shows that more than one in three infostealer infections in 2025 begin with the uncontrolled execution of files from Windows temp directories. For CISOs, this is an indication that basic user security must receive greater focus.
Kaspersky has investigated how infostealers infiltrate Windows systems in 2025. The result is telling: 35 percent of all observed infections began with the execution of files from the “AppDataLocalTemp” directory, which Windows uses for downloaded files. These infections do not result from technical exploits, but from users launching downloads directly without checking their origin.
Another common infection path affects approximately 32 percent of cases: here attackers use the “Microsoft.NETFramework” directory and employ so-called living-off-the-land techniques. This means they abuse legitimate Windows system components to execute malicious code and bypass antivirus solutions. Known infostealer families such as Lumma rely on this method to remain undetected longer. In parallel, criminals deliberately manipulate users into disabling security programs or ignoring security warnings – a tactic that is significantly more effective than complex technical attacks.
The infections themselves target high-value data: credentials, browser cookies, stored passwords and cryptocurrency wallets. The incidence has escalated dramatically: compared to 2024, infostealer infections increased by 59 percent in 2025.
Particularly problematic is the source of these infected files. Cracked software, illegal activation tools, unofficial installers and game modifications regularly serve as vectors for malware. Users download them deliberately because they expect to gain an advantage – and thereby accept the infection risk.
Kaspersky recommends that organizations source software exclusively from official sources, update systems regularly and consistently implement multi-factor authentication. At the same time, the report emphasizes: technical protection measures alone are insufficient. Without continuous user awareness and training, infostealers remain one of the most successful attack methods. For CISOs, this means treating user behavior as a security risk and prioritizing awareness programs accordingly.
Source: www.it-daily.net · Published 17 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.