ISLAMABAD, June 19, 2026: More than one-third of infostealer malware infections begin when users open files directly from temporary browser folders, according to new research by Kaspersky Digital Footprint Intelligence (DFI), highlighting how user behavior continues to play a central role in credential theft and cyberattacks.

Contents

Temporary folders as the main infection source Advanced attack paths and system abuse Common attack methods and user risks Rising infostealer threat Cybersecurity recommendations

The study, based on analysis of 5 million infostealer log files discovered on the dark web in 2025, found that compromised data often includes login credentials, browser cookies, and system metadata extracted from infected devices. The findings show that many infections originate from routine user actions rather than highly sophisticated hacking techniques.

Temporary folders as the main infection source

According to Kaspersky researchers, approximately 35% of observed infections were linked to files executed from the Windows temporary directory (C:\Users\AppData\Local\Temp), a location commonly used by browsers to store downloaded files before users save them manually.

The report said infections often occur when users directly launch downloaded files without verifying their source or content.

Advanced attack paths and system abuse

The second most common infection source, accounting for around 32% of cases, was linked to the C:\Windows\Microsoft.NET\Framework\ directory. This path is associated with more advanced techniques such as process injection and “living off the land” attacks, where malware abuses legitimate system processes to avoid detection.

Kaspersky noted that such methods are typically used by more sophisticated infostealer variants, including families like Lumma.

Common attack methods and user risks

The analysis found that infections are frequently tied to risky user behavior, including downloading software from untrusted sources and installing pirated or modified applications.

In several cases, malicious files were disguised as software installers, game modifications, or activation tools, often encouraging users to disable security protections before execution.

Rising infostealer threat

Kaspersky Digital Footprint Intelligence expert Sergey Shcherbel said infostealer infections increased by 59% in 2025 compared to the previous year, adding that attackers often rely on users executing malicious files rather than advanced exploitation techniques.

He said many infections occur simply because users run downloaded files immediately without verifying them.

Cybersecurity recommendations

Kaspersky advises users and organizations to avoid downloading software from unofficial sources, refrain from using pirated or cracked applications, and maintain updated security software across all devices.

It also recommends using dedicated password managers and avoiding storage of sensitive data in unsecured locations such as photo galleries or notes applications.

Also Read: Manufacturing Sector Faces Rising Cybersecurity Threats as Industrial Cyberattacks Increase in 2026, Kaspersky Reports