AhnLab describes browser credential theft behavior by infostealers and includes a DPRK-relevant Andariel example. The Andariel-built command line tool targeted Chrome, Firefox, Internet Explorer, Opera, and Naver Whale, printed extracted credentials to the console, and was likely paired with a backdoor to relay the results to C2. The report frames browser-saved credentials as useful for later movement because attackers can read and decrypt login data from browser profile files. AhnLab also compares this behavior with common infostealers such as AgentTesla, LokiBot, SnakeKeylogger, and RedLine, noting that EDR can detect the credential access behavior even when malware is packed or injected into a normal process.