BIPI is a Chennai-based engineering company that operates the control layer for modern digital infrastructure. We design and run cybersecurity defence, agentic AI systems, digital engineering, growth automation, and continuous compliance as one platform, so organisations can detect signals, decide in real time, and deliver continuously.

What cybersecurity services does BIPI offer?

Web, mobile, network, and API penetration testing (VAPT), red team engagements, cloud security architecture, Zero Trust deployments, 24/7 SOC operations, and detection engineering. We work with financial services, SaaS, and regulated mid-market companies across India, APAC, EMEA, and North America.

What AI services does BIPI build?

Custom AI agents, LLM integrations, autonomous decision systems, and AI Ops intelligence layers. Our agents are scoped, observable, and audited end-to-end. We do not ship demos. We ship production agents that take real action across your existing systems.

Which compliance frameworks does BIPI support?

ISO 27001:2022, SOC 2 Type II, PCI DSS, GDPR, and India's DPDPA. We treat compliance as an engineering program, not a paper exercise: continuous evidence generation, exception tracking, and 72-hour breach-readiness.

BIPI Private Limited is headquartered in Chennai, Tamil Nadu, India, and serves clients across APAC, EMEA, and North America.

How do I contact BIPI?

Email info@bipi.in for new engagements or careers@bipi.in for jobs. You can also use the contact form at bipi.in/contact. We respond within one business day.

BIPI

Infostealers Are Most Of Your Credential Theft Problem

Threat Intelligence

RedLine, Lumma, Vidar, and a long tail of clones generate billions of credentials annually. Logs sold on markets carry session cookies that bypass MFA. Defense requires treating browsers as security boundaries.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 20, 2024 · 7 min read

#malware#infostealer#endpoint#threat-intelligence

An incident at a fintech client started with a Slack notification: "Hey, this email looks weird." The email was an OAuth consent prompt the user did not initiate, on an account they thought was protected by hardware MFA. Investigation traced the access to a session cookie stolen from the user's personal laptop a week earlier by Lumma Stealer, packaged into a log, sold on Russian Market for $12, and replayed by a buyer who walked straight past MFA because the cookie was already authenticated.

Infostealer malware is the unglamorous workhorse of modern credential theft. There is no zero-day, no nation-state attribution, no clever lateral movement. There is a user who installed a cracked Adobe plugin or a fake Notion app or a malicious Chrome extension, and 90 seconds later their entire browser credential vault, session cookies, crypto wallets, Discord tokens, and saved passwords are sitting in a 4MB zip on a criminal's server.

The current ecosystem

The dominant families through 2025 and into 2026 have been Lumma, RedLine (which had operational disruption but variants persist), Vidar, StealC, and Raccoon. Distribution is via cracked software, malvertising on Google search results for popular tools, fake browser updates, malicious Chrome extensions, and increasingly via SEO-poisoned GitHub repos. The operators are independent: they buy the stealer as malware-as-a-service for $100 to $500 per month, run their own distribution, and sell the resulting logs on markets like Russian Market or via Telegram channels.

A typical log contains: every saved browser password, every active session cookie, autofill data including credit cards and addresses, crypto wallet files, Telegram and Discord session files, screenshots from the moment of compromise, and system fingerprinting data. Logs sell for $1 to $30 depending on freshness and the value of the targets visible inside (corporate domains, banking sessions, exchange accounts).

Why MFA is not enough

The session cookie is the key vulnerability. Once you have authenticated to your bank, your Microsoft 365, your Okta, your AWS console, the browser holds a cookie that proves you are authenticated for that session. MFA happened at login, not on every request. An attacker who steals that cookie and replays it from a similar fingerprint walks straight in. Most MFA implementations do not re-prompt for established sessions.

Lumma logs we have analyzed contain corporate session cookies for SaaS apps in roughly 30 to 40 percent of consumer-segment victims.
Time between log generation and use averages under 7 days; cookies are usually still valid.
Buyers specifically search logs by domain ("any logs with okta.example.com cookies") to target specific organizations.
Personal devices are the dominant infection vector; the corporate impact comes from password reuse and BYOD browser sync.

Defense in three layers

Endpoint controls reduce execution. EDR with proper behavioral detection (script-based execution chains, browser process injection, suspicious child processes from explorer.exe) catches a meaningful fraction. The bigger lift is application allowlisting via WDAC or AppLocker, which is operationally expensive but effectively kills most consumer-grade infostealer execution.

Browser hardening matters more than people give it credit for. Enforce browser policies via MDM that disable password manager (force corporate password manager), disable autofill for credentials on personal browsers used for work, disable sync to personal Google or Apple accounts on managed devices, and aggressively manage extensions via allowlist. The browser is now a security perimeter; treat it that way.

Identity controls close the back door. Session token binding (MS Conditional Access Continuous Access Evaluation, equivalent in other IDPs), short session lifetimes for high-privilege apps, and reauthentication on sensitive actions (token issuance, OAuth consent, MFA changes) all reduce the value of a stolen cookie. Phishing-resistant MFA (FIDO2, WebAuthn) helps when the attacker has to log in fresh, but does not help if the cookie is already there.

The personal device problem

The hardest conversation is BYOD. The infostealer infection happens on the user's personal laptop where they signed into work email "just to check." You did not have EDR there. You did not see the install. The first sign of trouble is a session replay against your environment from an IP and browser fingerprint that look plausible.

There is no clean solution. The options are: (1) eliminate BYOD for any access to corporate identity, which most orgs cannot enforce, (2) require enrollment in lightweight management that lets you verify device posture before issuing tokens, or (3) accept the risk and over-invest in identity-side detection. Most clients land on (2) for high-privilege access and (3) for everyone else, with the understanding that infostealer-driven incidents will continue to happen.

Treat browsers as security boundaries, treat session cookies as credentials, and assume every employee has a personal device that will be compromised at some point in the next 24 months. Plan accordingly.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.