AhnLab describes how credential-stealing malware abuses saved login data in browsers, email clients, FTP tools, VNC software, and Outlook, and how its MDS sandbox detects that behavior even when file signatures are unknown. The report covers commodity stealers such as AgentTesla and Lokibot, then ties the same credential access pattern to DPRK-linked APT cases. Andariel used a TigerRAT-installed stealer to dump credentials from Chrome, Firefox, Internet Explorer, Opera, Naver Whale, and Outlook, while Kimsuky paired custom malware such as AppleSeed and AlphaSeed with an infostealer that collected browser credentials, cookies, and history into JSON files. AhnLab frames credential theft as an enabling step for lateral movement, network takeover, and internal data theft.