From Cookies to Keys: The Threat of Session Hijacking

Key Takeaways

Passwords aren't the target anymore. Sessions are. Attackers have moved on. Instead of cracking credentials, they're stealing the session tokens and authentication cookies that prove you're already logged in. With a stolen token, attackers skip authentication entirely and slip in without triggering a single alert.
The infostealer economy made this cheap and fast. Logs containing valid session tokens for tools like Microsoft 365 or Slack sell for as little as $5 on dark web markets and as much as $500 for high-value targets. Modular add-ons like browser fingerprint bundles and password manager vaults let attackers stack access and maximize ROI. One raw log. One hour. Full environment access.
Defense requires a new mindset. MFA and perimeter security alone won't stop a session replay attack. Enforcing short-lived tokens and monitoring for anomalous session behavior close the gap between "authenticated" and "actually secure."

Between 2020 and 2025, cybercriminal tactics have evolved rapidly. The traditional model of stealing usernames and passwords has been replaced by a far more dangerous threat: session hijacking.

Attackers now use infostealer malware to harvest browser session tokens and authentication cookies: digital keys that grant unauthorized access to email, cloud services, developer platforms, and critical infrastructure without passwords or triggering multi-factor authentication (MFA).

These session tokens and employee credentials are sold on dark web black markets. Then the stolen data is replayed using automation tools, which lets attackers bypass security controls, move laterally, and launch ransomware, extortion, or IP theft campaigns in under an hour.

So what does this shift mean? Traditional defenses like MFA and perimeter security aren’t enough. Organizations must treat session data as privileged access, implement short-lived tokens, and monitor for sketchy behaviors.

What is session hijacking?

When you log in to a service, your browser saves a file—a cookie or token—that proves you’re authenticated. Session hijacking happens when attackers steal that file, letting them skip your login page completely and get inside as if they were you.

A stolen session token is like holding an active key to the victim’s account. Once authenticated, the attacker doesn’t need the original password, and because many services treat session cookies as valid proof of identity, MFA isn’t re-prompted, and no login alerts are triggered.

Think of it like losing your hotel key card: the thief doesn’t need to know your name or reservation number. The card itself is the access.

Here's the scary truth. Attackers are way smarter at getting initial access these days. That's the new reality we're facing with session hijacking. Hi. I'm Amelia, and I'm a security operations analyst within the Huntress SOC. So what is session hijacking? Session hijacking is a stealthy initial access technique that uses stolen tokens to gain unauthorized access to users' accounts on websites or applications. It's a game changer because it means easier and faster access to targets. What are session tokens? When you log in to a service, your browser saves a file, like a cookie or a token, that proves you're authenticated. These are session tokens, and they're valuable to cybercriminals. Attackers have stolen session tokens. What does this mean for defenders? Session tokens give attackers full access to an account as long as the session is still active. Servers acknowledge session tokens as valid proof of identity, so password login alerts or MFA prompts aren't triggered. And if a user resets their password, it doesn't really matter because lots of session tokens are still valid unless they're explicitly revoked or expired by security policies. Let's see how a session hijacking attack works. Step one, a threat actor buys stolen session token from a dark web forum or steals tokens directly through phishing. Step two, here's when the session hijacking goes down. The attacker uses session replay, a technique that simulates an access request to the server that originally authenticated the stolen token. This swaps the attacker's session token with the stolen one from the infostealer logs. The attacker wants the server to think the activity is from the legitimate user. Step three, it does. Unfortunately, this attacker just scored a win. The server recognizes the token as the legitimate user in the same active session it was already authenticated. Login and authentication to the targeted account are completely bypassed, giving the attacker full access to your account. In less than an hour, session hijacking gives attackers initial access to all kinds of environments, opening the door to silently roam your system and networks, steal your data, and launch bigger attacks like ransomware. Summing things up, session hijacking is a stealthy initial access tactic. Attackers use stolen tokens to hijack user sessions, bypassing password logins and MFA. Session hijacking is sneakier and faster than traditional credential theft tactics, like phishing. Active sessions and stolen tokens are keys that unlock access to the victim's account and environment for a dangerous window of assistance. And that's how attackers hijack your sessions for initial access to your environment.

Why do attackers steal sessions?

As demand for stolen credentials surged between 2020 and 2025, driven by ransomware affiliates, initial access brokers, and even corporate espionage, infostealer developers rapidly adapted.

Hackers now often use infostealer malware to grab tokens from browsers and apps. Instead of just collecting saved passwords, infostealers catch:

Session cookies from Google Workspace, Microsoft 365, Slack, and more
Developer tokens for GitHub, AWS, or CI/CD systems
Vault exports from password managers

Figure 1: Redline infostealer

And even if a user resets their password, many session tokens remain valid unless explicitly revoked or expired by security policies, giving attackers a dangerous window of persistence. This level of stealth often evades endpoint detection and response (EDR) tools, which are typically tuned to detect brute force, credential stuffing, or known malware signatures, not session replays using valid tokens.

That’s what makes session hijacking so dangerous: it exploits the very trust mechanisms modern authentication was designed to streamline.

Figure 2: Example of a Huntress incident report triggered by credential theft and malicious account takeover

How do attackers steal sessions?

So, how easy is a session hijack compromise? Here’s a realistic attack path—no phishing, no exploits:

Buy a log with credentials of the targeted organization
Run a replay session via automated tools
Bypass MFA (most likely not due to how applications treat sessions)
Browse internal systems or drop malware for persistence
Escalate to ransomware, extortion, or IP theft

Figure 3: Example Huntress incident report triggered by anomalous authentication activity indicative of potential session hijacking

What’s worse, the average cost of entry is cheap.

Typical infostealer logs vary from around $5 to $25 each. There are several factors that determine the price:

Quality of the data—newer data sells for a premium
Geolocation of the victim
Data type—VPN, admin panels, and cloud content cost more

Logs containing Fortune 500 credentials, valid Microsoft 365 sessions, or tokens for tools like Slack, Okta, or AWS can sell for $100 to over $500, depending on exclusivity. Slack tokens are especially valuable, as they were used in major 2023 breaches and now have dedicated marketplaces.

Top-tier initial access brokers (IAB) act as elite middlemen in cybercrime, obtaining high-value stolen credentials through infostealers or direct intrusions. They resell this curated access—often to ransomware affiliates, extortion groups, or espionage clients—for thousands of dollars per credential.

Figure 4: Average price of stolen credentials

What is the infostealer add-on market?

The infostealer and access economy has grown into a powerful ecosystem of modular tools and data packs ready for upsell, designed to maximize profit. Once a stealer log or compromised machine is harvested, sellers can bolt on additional services, tools, or specialized data dumps to scale their operations, deepen access, or tailor attacks to high-value targets.

Common add-ons include:

Discord Tokens: $5-$20 (depending on Nitro status or moderator/admin role)
Slack/Mattermost Tokens: $25-$75
Google Workspace / M365 Cookies: $50-$200+
GitHub Personal Access Tokens (PATs): $50-$300
AWS IAM Session Tokens: $100-$500
Cloudflare / Okta / PingIdentity Session Keys: $100-$800+
Browser fingerprint bundles to replay sessions without triggering security challenges (Price varies based on data)

Developer/DevOps Environment extracts include:

.env dumps from Node.js or React apps: $25 per file
Jenkins credential files: $100+
.npmrc and .pypirc (with publish tokens): $50-$100
.git-credentials, .aws/config, SSH private keys: $50-$300
Full .git folders (entire repo + commit history): $100+

Password manager vaults include:

1Password export JSONs: $300-$1,000
Bitwarden vaults: $200-$700
KeePass databases (.kdbx): $100-$500
Browser vault exports (Chrome, Edge): $25-$75

Automation and verification services include:

Log Checkers (RedLine/Stealy validators): $100-$300
RDP Scanner Bots (auto-test credentials across IP ranges): $50/month
OpenBullet Configs (pre-built for Shopify, AWS, GitHub, etc.): $20-$150 each
Stealer deployment panels + crypting services: $200-$600 monthly
Telegram bots that sort logs into access types: ~$100
Company Lookups (Clearbit-style): tags logs with domain reputation or industry
Geo-IP Enrichments: locates the target geography
Credential Health Checks: flags MFA/2FA protection or recent login timestamps
Dark Web Cross-Reference Tools: identify if the target appears in other breaches

Attackers don't just watch your passwords anymore. They're buying all sorts of stolen access on the dark web to speak into your accounts. My name is Adrian. I've been in the Huntress SOC for two years. I am a security operation analyst. What is Infostealer malware? Infostealer malware is a type of malicious software that collects credentials, financial information, and sensitive data from victims endpoints. Historically, threat actors used the infostealers to steal email and bank credentials, but the infostealer ecosystem is a lot more complex these days. Targeting a wide range of credentials, We're talking about fast, sneaky access that bypasses login and MFA prompts in corporate environments, tokens, API keys, MFA keys, crypto wallets, and the list goes on. What are infostealer logs? Infostealer logs are the raw bulk data collected by the malware. They're sold on underground marketplaces and private telegram channels. The cost of the infostealer data varies depending on data quality, the victim's geolocation, and the data type. Typical logs go from five to twenty five dollars. But logs with Fortune five hundred domain credentials, valid Microsoft 365 sessions, Slack or Okta tokens, or access to developer tools range from a hundred to five hundred dollars. What does this mean for defenders? Here's a look at some, but not all, hands on keyboard things threat actors can do with stolen infostealer data. They use stolen passwords for credential stuffing. They know people reuse passwords across accounts, so a ten dollar set of credentials to one account might easily open the door to several others. They use stolen tokens to launch session-hijacking attacks, a form of dangerous persistent access. They target developer environments for immediate and deep access to corporate environments. They sell bundles of stolen credentials or add on services and tools to other threat actors to increase their profit margin. Summing this up, infostealer malware is an initial access technique that supports bigger attacks, including ransomware, extortion, and data theft. It collects credentials, financial information, and sensitive data from victims. Infostealer data often lets attackers bypass credential logins and MFA, especially in corporate environments, creating an unwanted window of persistence. And that's how Infostealer malware exploits your endpoints and identities for profit and unauthorized access.

Upselling infostealer logs

IABs look to maximize their data and profits. A typical upsell flow example looks something like this:

They purchase a raw infostealer log for about $10. It would likely be an unsorted and unverified dump containing Chromium browser history, cookies, saved passwords, localStorage data, autofill, and clipboard contents. These will come from infostealer groups or phishing-as-a-service groups.

Then they’ll run this through an automated or semi-automated system to parse the data, where they might find interesting content like these automated tooling tags:

Valid Slack token
.env file with PostgreSQL + Stripe keys
GitHub PAT (Personal Access Token)
.aws/credentials file with active IAM role
Session cookies for Google Workspace and Jira

The access broker may choose to sell for a $200 to $400 profit at this point. Or they might continue evaluating the data, which could have login access, leading to even more unauthorized access, or merge it with data from other dumps they have purchased or accessed:

For example, let's say they gain access to a 1Password Export Vault with the following items:

CRM (HubSpot)
SFTP server
Corporate email
Dev credentials and tokens

Now the initial access broker can package this into a "Developer Access Bundle" with the following items:

GitHub token
AWS session
CRM + email creds
Vault export
Valid Slack token

The target buyer audience is ransomware affiliates, extortion crews, and groups. The final resale price is over $1,000, which is a 10,000% ROI!

Figure 5: Example of the infostealer add-on process

Tools used by attackers, their functionality, and comparison

Attackers rely on specialized tools, each with distinct capabilities, to extract and exploit log data. They use tools like OpenBullet, StealyBot, or custom replay scripts to simulate logins, bypassing authentication in under an hour. This process enables rapid access to enterprise systems, often escalating to ransomware or data theft.

Figure 6: Comparison chart of session hijacking tools

Figure 7: Hackers use OpenBullet2 for credential stuffing and session replay

Mitigation strategies

To defend against session hijacking and replay attacks, the thinking trace below outlines strategies with detailed guidance on how to effectively mitigate specific attacker tools.

MFA

Why it works: While we discussed how MFA can be bypassed, it still provides a foundation for security. MFA adds an additional verification layer, like a mobile code or biometric data, making it harder for attackers to gain access even with valid session tokens.

Mitigated attacker tools:

OpenBullet: requires additional factors beyond stolen tokens
StealyBot: blocks access even with emulated fingerprints and custom scripts, which adds a barrier to session replay

Effectiveness: Considered essential, as it significantly raises the bar for attackers, even with stolen session data.

Short session lifetimes

Why it works: By reducing session duration, you limit the time an attacker has to use a stolen session token. If the session expires quickly, even if the attacker captures the token (e.g., via OpenBullet or StealyBot), it might already be invalid by the time they try to replay it.

Mitigated attacker tools:

OpenBullet: reduces the window for session replay
StealyBot: limits the usability of stolen browser profiles and custom scripts by shortening the effective period for replay attacks

Effectiveness: Research suggests this is highly effective against automated tools, as it forces attackers to act quickly, often before they can fully exploit the data.

Secure cookies

Why it works: Setting the Secure flag ensures cookies are only sent over HTTPS, preventing interception over unencrypted connections. The HttpOnly flag blocks client-side scripts from accessing cookies, mitigating Cross-site scripting (XSS) attacks. This aligns with OWASP recommendations for session security.

Mitigated attacker tools:

OpenBullet: prevents cookie theft via insecure channels
StealyBot: blocks access to cookies through client-side exploitation and custom scripts by reducing the ability to extract cookies insecurely

Effectiveness: Highly effective against tools relying on cookie theft, especially in environments with mixed HTTP/HTTPS usage.

Anomalous behavior monitoring

Why it works: Detects unusual patterns, like logins from different geographic locations or multiple failed attempts, and identifies potential hijacking attempts. This allows for immediate action, like forcing a logout or requiring re-authentication, as recommended by cybersecurity experts.

Mitigated attacker tools:

OpenBullet: detects credential stuffing patterns
StealyBot: identifies unusual device fingerprint mismatches and custom scripts by flagging scripted login attempts

Effectiveness: Effective for real-time detection, especially in environments with advanced security information and event management (SIEM) systems.

User education

Why it works: Users aware of phishing tactics and security practices are less likely to fall victim to attacks that lead to session hijacking, like clicking malicious links or downloading infected attachments.

Mitigated attacker tools: Prevents initial compromise through social engineering tactics, which is often the first step in obtaining session tokens or credentials.

Effectiveness: Critical for reducing the attack surface, especially in environments with remote workforces

Canary credentials

Why it works: Canary credentials are fake or decoy credentials placed in systems to detect unauthorized access. If an attacker uses these credentials, it triggers an alert, indicating a breach.

Mitigated attacker tools:

OpenBullet: detects credential testing
StealyBot: flags unauthorized profile use and custom scripts by identifying scripted attempts with Canary data

Effectiveness: Highly effective for early detection, especially in environments with high credential exposure risks

Figure 8: Mitigation strategies to defend against session hijacking

The bottom line

Passwords aren’t the main prize anymore—sessions are. Attackers don’t need to trick your employees into handing over credentials when they can just buy or steal their way in.

By handling session data as sensitive information, enforcing shorter-lived tokens, and monitoring for anomalies, organizations can stay ahead of this evolving threat.

Interested in a deeper dive into infostealers and session hijacking? Check out The Rise of Infostealers and Session Hijacking.

Key Takeaways

Passwords aren't the target anymore. Sessions are. Attackers have moved on. Instead of cracking credentials, they're stealing the session tokens and authentication cookies that prove you're already logged in. With a stolen token, attackers skip authentication entirely and slip in without triggering a single alert.
The infostealer economy made this cheap and fast. Logs containing valid session tokens for tools like Microsoft 365 or Slack sell for as little as $5 on dark web markets and as much as $500 for high-value targets. Modular add-ons like browser fingerprint bundles and password manager vaults let attackers stack access and maximize ROI. One raw log. One hour. Full environment access.
Defense requires a new mindset. MFA and perimeter security alone won't stop a session replay attack. Enforcing short-lived tokens and monitoring for anomalous session behavior close the gap between "authenticated" and "actually secure."

Between 2020 and 2025, cybercriminal tactics have evolved rapidly. The traditional model of stealing usernames and passwords has been replaced by a far more dangerous threat: session hijacking.

What is session hijacking?

Think of it like losing your hotel key card: the thief doesn’t need to know your name or reservation number. The card itself is the access.

Why do attackers steal sessions?

As demand for stolen credentials surged between 2020 and 2025, driven by ransomware affiliates, initial access brokers, and even corporate espionage, infostealer developers rapidly adapted.

Hackers now often use infostealer malware to grab tokens from browsers and apps. Instead of just collecting saved passwords, infostealers catch:

Session cookies from Google Workspace, Microsoft 365, Slack, and more
Developer tokens for GitHub, AWS, or CI/CD systems
Vault exports from password managers

Figure 1: Redline infostealer

That’s what makes session hijacking so dangerous: it exploits the very trust mechanisms modern authentication was designed to streamline.

Figure 2: Example of a Huntress incident report triggered by credential theft and malicious account takeover

How do attackers steal sessions?

So, how easy is a session hijack compromise? Here’s a realistic attack path—no phishing, no exploits:

Buy a log with credentials of the targeted organization
Run a replay session via automated tools
Bypass MFA (most likely not due to how applications treat sessions)
Browse internal systems or drop malware for persistence
Escalate to ransomware, extortion, or IP theft

Figure 3: Example Huntress incident report triggered by anomalous authentication activity indicative of potential session hijacking

What’s worse, the average cost of entry is cheap.

Typical infostealer logs vary from around $5 to $25 each. There are several factors that determine the price:

Quality of the data—newer data sells for a premium
Geolocation of the victim
Data type—VPN, admin panels, and cloud content cost more

Figure 4: Average price of stolen credentials

What is the infostealer add-on market?

Common add-ons include:

Discord Tokens: $5-$20 (depending on Nitro status or moderator/admin role)
Slack/Mattermost Tokens: $25-$75
Google Workspace / M365 Cookies: $50-$200+
GitHub Personal Access Tokens (PATs): $50-$300
AWS IAM Session Tokens: $100-$500
Cloudflare / Okta / PingIdentity Session Keys: $100-$800+
Browser fingerprint bundles to replay sessions without triggering security challenges (Price varies based on data)

Developer/DevOps Environment extracts include:

.env dumps from Node.js or React apps: $25 per file
Jenkins credential files: $100+
.npmrc and .pypirc (with publish tokens): $50-$100
.git-credentials, .aws/config, SSH private keys: $50-$300
Full .git folders (entire repo + commit history): $100+

Password manager vaults include:

1Password export JSONs: $300-$1,000
Bitwarden vaults: $200-$700
KeePass databases (.kdbx): $100-$500
Browser vault exports (Chrome, Edge): $25-$75

Automation and verification services include:

Log Checkers (RedLine/Stealy validators): $100-$300
RDP Scanner Bots (auto-test credentials across IP ranges): $50/month
OpenBullet Configs (pre-built for Shopify, AWS, GitHub, etc.): $20-$150 each
Stealer deployment panels + crypting services: $200-$600 monthly
Telegram bots that sort logs into access types: ~$100
Company Lookups (Clearbit-style): tags logs with domain reputation or industry
Geo-IP Enrichments: locates the target geography
Credential Health Checks: flags MFA/2FA protection or recent login timestamps
Dark Web Cross-Reference Tools: identify if the target appears in other breaches

Upselling infostealer logs

IABs look to maximize their data and profits. A typical upsell flow example looks something like this:

Then they’ll run this through an automated or semi-automated system to parse the data, where they might find interesting content like these automated tooling tags:

Valid Slack token
.env file with PostgreSQL + Stripe keys
GitHub PAT (Personal Access Token)
.aws/credentials file with active IAM role
Session cookies for Google Workspace and Jira

For example, let's say they gain access to a 1Password Export Vault with the following items:

CRM (HubSpot)
SFTP server
Corporate email
Dev credentials and tokens

Now the initial access broker can package this into a "Developer Access Bundle" with the following items:

GitHub token
AWS session
CRM + email creds
Vault export
Valid Slack token

The target buyer audience is ransomware affiliates, extortion crews, and groups. The final resale price is over $1,000, which is a 10,000% ROI!

Figure 5: Example of the infostealer add-on process

Tools used by attackers, their functionality, and comparison

Figure 6: Comparison chart of session hijacking tools

Figure 7: Hackers use OpenBullet2 for credential stuffing and session replay

Mitigation strategies

To defend against session hijacking and replay attacks, the thinking trace below outlines strategies with detailed guidance on how to effectively mitigate specific attacker tools.