They often treat the infection as a single endpoint event, when the real risk is credential theft plus session abuse plus follow-on access. A stealer with RAT and loader functions can move from data theft to persistent control very quickly. That means containment must include token revocation, account review, and endpoint triage together.
Why Security Teams Misread Infostealers with Remote Access
Security teams often classify these cases as ordinary endpoint malware, but the operational reality is broader: an infostealer can harvest browser cookies, API keys, saved passwords, and active sessions, while a remote access component turns that theft into hands-on control. The mistake is assuming the endpoint is the blast radius when the real blast radius includes identities, sessions, and downstream systems.
This is why NHI Management Group treats stolen secrets as an identity event, not just a device event. The 52 NHI Breaches Analysis shows how frequently identity material, not just malware execution, becomes the durable foothold. The same pattern appears in the Ultimate Guide to NHIs, where credential exposure, over-privilege, and weak monitoring compound each other. OWASP’s Non-Human Identity Top 10 reinforces the same point: once credentials are exposed, the identity lifecycle becomes the attacker’s path of least resistance.
One useful signal from recent research is that lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, which is a strong reminder that persistence often comes from stale access rather than sophisticated exploitation. In practice, many security teams discover the remote-access portion only after the stolen sessions have already been reused for lateral movement.
How Infostealer and RAT Chains Work in Practice
These campaigns usually unfold in stages. First, the infostealer extracts browser-stored secrets, tokens, and cookies from the workstation. Then the remote access payload, loader, or secondary implant uses those artefacts to bypass traditional login flows, because the attacker no longer needs to authenticate as a user in the normal sense. The compromise may look like a successful sign-in, a trusted browser session, or even a legitimate API call.
That is why incident response has to combine endpoint triage with identity containment. A practical sequence is:
- Revoke active sessions, refresh tokens, and OAuth grants immediately.
- Reset credentials only after session paths are closed, otherwise the attacker may retain access.
- Review privilege assignments, mailbox rules, cloud console activity, and any exposed service accounts.
- Correlate endpoint telemetry with identity logs to identify reuse of stolen tokens or cookies.
- Check for secondary persistence such as scheduled tasks, browser extension abuse, or remote access tools.
For identity-centric controls, the SonicWall VPN Mass Breach via Stolen Credentials is a reminder that stolen credentials often become a repeatable access channel, not a one-time login event. NIST SP 800-53 Rev. 5 supports this posture through access control, audit, and incident response requirements, especially when identity proof, session assurance, and logging need to be treated as a single control plane. These controls tend to break down when legacy VPNs or shared admin accounts still accept long-lived sessions because token revocation cannot fully invalidate the attacker’s foothold.
Where the Standard Response Breaks Down
Tighter containment often increases operational overhead, requiring organisations to balance rapid revocation against user disruption and false positives. That tradeoff gets harder in environments with unmanaged endpoints, personal devices, or SaaS sprawl, where attackers can reuse tokens faster than the security team can perform a full asset review.
Best practice is evolving, but current guidance suggests treating any infostealer with remote access as a probable identity spill. That means the response scope should include cloud accounts, browser sessions, federated logins, and non-human identities that may have been reachable from the same device. This is especially important in environments where admins use the same workstation for browsing and privileged access, because a single browser profile can expose both human and machine credentials.
The Microsoft SAS Key Breach and SAP SQL Anywhere Monitor Hardcoded Credentials both illustrate the same operational lesson: once a secret is exposed, the attacker does not need to keep “malware access” alive if the credential path remains valid. Current guidance suggests prioritising revocation and privilege review over endpoint cleanup alone, because cleanup without identity remediation leaves the original access path intact.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Stolen secrets and sessions are NHI exposure paths that need lifecycle control. |
| OWASP Agentic AI Top 10 | Remote access payloads behave like autonomous tooling using stolen identity material. | |
| CSA MAESTRO | Maps to runtime control of autonomous access chains and escalation paths. | |
| NIST AI RMF | GOVERN | Identity spill response needs clear accountability and decision ownership. |
| NIST CSF 2.0 | PR.AC-1 | Access control is central when stolen sessions are reused for persistence. |
Inventory exposed identities, revoke compromised credentials, and remove stale secret paths quickly.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org