Telegram Network

PRISM - Stealer Logs

Flare has built the world’s most comprehensive dataset of stealer log data. Infostealer malware infects hosts and steals credentials saved in the browser, session cookies, and in many cases even takes a screenshot of the victim’s computer. This data is then packaged into a single file exfiltrated to the threat actors Command & Control (C2) infrastructure and typically distributed on public and private Telegram channels.

Aside from stolen credentials, session cookies and screenshots, basic information about the infected device are also available. They often include the infection date, stealer family that infected the device, geolocation of the computer,  operating system, username and anti-virus. By analyzing this data, this blog provides insights on the scope and impact of the infostealer malware landscape.

The data and visualizations presented on this webpage are based on information collected up until August 2024. These graphs are static and do not reflect real-time updates or recent developments. Any trends, insights, or conclusions should be interpreted with this timeframe in mind.

Stacked Area Infection Date

The timeline of stealer malware infections offers a great look into the evolution of the threat. Analyzing millions of stealer logs, we gain insights into how these stealers have proliferated over time. By examining infection dates from Flare’s stealer logs, we can trace the trajectory of various malware families over the last 5 years.

Malware Family Proportions: Redline's Dominance and the Rise of New Contenders

The dominance of Redline in our stealer logs is striking, accounting for nearly half (47.13%) of all infections. This widespread presence underscores Redline’s popularity among cybercriminals.

Geographic Footprint of Stealer Malware

The geolocation of infected devices provides an interesting perspective on the global impact of infostealer malwares. Using the geographical data of infected devices, we can identify the regions where each device was located.

A bubble map, which provides a representation of how infections are spread across the globe, is available below. The size of the bubbles is proportional to the number of infected devices. Top 10 countries per percentage of population infected are in black.

The absolute number of infections reveals that countries with larger populations, such as Brazil, India, and the USA, show the highest absolute numbers of infections. This aligns with the expectation that larger populations provide a greater pool of potential targets. However, the top ten list of countries by number of infected devices also includes some surprising entries.

OS Landscape in Stealer Logs: Windows Dominance

The distribution of infections across various OS versions highlights which systems are most commonly targeted by stealer malware. Waffle charts below provide a visual representation of this data, with each section representing an OS version and its relative share of the total infections.

Admins Beware: Insights into the Usernames of Infected Devices

Understanding the usernames associated with infected devices can provide insights into the infected environments. The word cloud below visualizes the most popular usernames from our stealer logs.  In a word cloud, the size of a word is proportional to the number of infected devices with that username.

The distribution of usernames among infected devices reveals several interesting trends:

  1. Generic Usernames:
    The most common username across infected devices is simply “user” appearing in 6.79% of cases. This username is followed by “pc” and “hp”.  These generic names are widespread and might suggest a lack of personalization in user accounts, which could indicate a variety of user scenarios.
  2. Admins:
    The username “admin” encompasses all variations of administrator usernames such as admin, Admin, administrator, administrador, administrateur …etc. Admin usernames were found in 1,878,430 instances—accounting for 4.82% of the total infected devices. Other notable usernames in the same category were variations of “IT” usernames, which were found on more than 10k infected devices.
  3. Brand-Specific Usernames:
    Usernames reflecting specific hardware brands like “dell” , “hp”, “lenovo” and “asus” make up a smaller portion of the dataset but still show notable presence. For example, “dell” accounts for 1.33% of the records, while “lenovo” is at 1.12%.

Antivirus Presence in Infected Devices: Windows Defender and Co.

Finally, anti-virus software found on infected devices shows a clear dominance of Windows Defender. On the left are the top 15 Antiviruses found in our stealer logs by percentage of infected devices in our logs. These top 15 represent broader categories, with each category aggregating all related antivirus products (e.g., all McAfee products are grouped under ‘McAfee’).

Try Flare for Free

Experience Flare for yourself and see why Flare is used by organization’s including federal law enforcement, Fortune 50, financial institutions, and software startups.
Start a Free Trial
4.9

“What used to take about 1500 hours to complete can now be done in 1 week. Flare allows me to empower junior analysts to do dark web investigations that were previously impossible, hence liberating bandwidth.

Senior Security Specialist at a MSSP

“Other solutions would present us with thousands of potential leaks which were impossible to work with for our small team, Flare was the only one that could successfully filter and prioritize data leaks with their 5-point scoring system.”

CTI Director at a Major North American Bank

“What used to take about 1500 hours to complete can now be done in 1 week. Flare allows me to empower junior analysts to do dark web investigations that were previously impossible, hence liberating bandwidth.”

Senior Security Specialist at a MSSP

“We audited dozens of different solutions and Flare was the only one making CTI easy and understandable for all, with the right data.”

Senior Advisor at a IT Services Industry