How to Investigate a Stealer Log: From Raw Data to Incident Response

Information-stealing malware, commonly known as “infostealers,” are stealthy, specialized malicious programs engineered to covertly collect sensitive data from infected devices. Unlike noisy attacks like ransomware, infostealers operate quietly in the background to harvest valuable data such as saved passwords, active session cookies, autofill data, cryptocurrency wallet keys, and system metadata. Once this information is collected, the malware compiles the loot into a stealer log, typically a structured ZIP archive or folder containing easily searchable text files and databases.

Stealer logs matter immensely to organizations because they provide attackers with a ready-made toolkit to bypass modern security perimeters. A single stealer log can expose dozens of corporate credentials and active session cookies, enabling threat actors to seamlessly impersonate employees.

These logs are the lifeblood of initial access. Stealer logs are sold in bulk on Dark Web marketplaces and Telegram channels, where Initial Access Brokers (IABs) hunt for high-value corporate logins. Once corporate access is found, it is repackaged and sold to various threat actors. The link between stealer infections and major breaches is undeniable, according to the 2024 Verizon DBIR, stolen credentials were involved in 80% of data breaches.

Traditional incident response, simply finding the malware and wiping the infected device, is no longer sufficient because the stolen credentials and session tokens remain valid and actively traded on the Dark Web. The purpose of this blog is to explain how security analysts move from the discovery of raw stealer logs to executing a comprehensive, identity-centric incident response.

Initial Triage: First Steps in Log Investigation

When a security team discovers a stealer log containing corporate credentials, the investigation must begin with a rapid and systematic triage to understand the scope of the compromise. Because infostealers exfiltrate data quickly, initial triage dictates the speed and effectiveness of the subsequent response.

You can start your investigation by checking your organization’s domain or email domain to see exposed stealer logs

The presence of corporate data in a stealer log does not automatically guarantee that a new or targeted breach has occurred. Threat actors frequently compile stealer logs from multiple sources and timeframes, sometimes injecting fake, manipulated, or outdated information to increase the file size and attract potential buyers. Analysts must first verify the authenticity and recency of the log, keeping in mind that older credentials may belong to closed accounts or have already been reset, rendering them obsolete.

To understand where the infection originated, responders must examine the victim’s OS version, hardware IDs, machine name, and username. By correlating this machine name, IP address, and username with internal asset inventories, security teams can definitively identify the compromised employee, pinpoint the exact infected device, and determine the user’s privilege level within the organization.

Establishing the timeline of the compromise is critical for scoping the investigation. Analysts should look for the extraction date or timestamp recorded in the log’s metadata. This timestamp is used to establish a definitive “Risk Window,” allowing security teams to search internal telemetry such as VPN access records, Azure Sign-in logs, or SSO authentications for any suspicious activity occurring after the exact moment of infection.

The most crucial step in triage is determining exactly what corporate doors the attacker can unlock. Analysts should parse the files to filter for internal corporate domains, critical SaaS applications, and Single Sign-On (SSO) or Identity Provider (IdP) endpoints.

Credential Analysis

Once a stealer log is discovered and initially triaged, the investigation moves into deep credential analysis. Both defenders and cybercriminals meticulously parse the extracted data to identify the most valuable assets. Understanding how to analyze these credentials is key to determining the true risk posed by an infection.

When you detect a log related to your organization, you can click on it for further investigation and check the details of the leaked credentials

In large stealer log dumps, manual review is nearly impossible, so analysts and attackers alike rely on automated parsing and keyword scanning to detect valuable targets. The primary goal is to filter the files for company-specific domains, internal system URLs, and privileged usernames.

Security teams should specifically hunt for Single Sign-On (SSO) and Identity Provider (IdP) endpoints. A log containing credentials or session cookies for these domains must be treated as a critical priority, as it grants broad access to the corporate ecosystem and often warrants immediate incident response containment.

Not all stolen credentials carry the same weight. Threat actors actively mine logs for specific, high-value accounts that enable deeper infiltration, financial theft, or ransomware deployment:

• Email platforms: Corporate email credentials are a primary target because they provide a reliable foothold for insider reconnaissance, privilege escalation, and Business Email Compromise (BEC) attacks.
• Cloud services: As enterprises shift to the cloud, credentials and session tokens for platforms like Microsoft 365, Google Workspace, AWS, and Azure have become top targets. A single infected developer’s machine could yield AWS console keys, providing attackers with the keys to the entire corporate infrastructure.
• VPN portals: Stolen Virtual Private Network (VPN) credentials allow attackers to completely bypass external perimeter defenses and log directly into corporate networks as an employee. Stealers are explicitly designed to hunt for VPN configuration files and credentials for tools like OpenVPN, NordVPN, and ProtonVPN.
• Developer tools: Access to tools like Jira, GitHub, Slack, and CI/CD pipelines poses an immense risk of intellectual property theft and supply chain compromise. For example, the HellCat Ransomware group successfully breached major organizations in 2025 by exploiting Jira credentials originally harvested by an infostealer.
• Financial services: Logs containing banking portal credentials, credit card data, and cryptocurrency wallet keys are heavily prized by financially motivated attackers. Attackers use this data to execute direct fraudulent transfers or drain digital assets.

One of the most dangerous elements revealed during credential analysis is human behavior and specifically, widespread password reuse. This behavior blurs the line between personal and corporate risk. When employees use unmanaged personal devices for work (BYOD), infostealers frequently capture both their personal and corporate logins. If an employee uses the same password for a consumer entertainment app as they do for their corporate VPN, a breach of the low-security personal app instantly exposes the corporate network.

During analysis, security teams can calculate the frequency of password usage across a user’s exposed accounts to identify these reuse patterns. If password reuse is detected, resetting the compromised corporate password alone is insufficient; teams must enforce a complete credential reset across all systems to ensure the attacker cannot pivot using known password variations.

Cookie and Session Token Analysis

Stolen credentials provide attackers with a path into corporate networks, but stolen session cookies represent a far more immediate and dangerous threat. As organizations increasingly adopt robust authentication controls, threat actors also focus on harvesting and exploiting active session tokens to bypass these defenses entirely.

If you want to analyze the whole infection process and gather more information, you can also view the summary of the attack, file insights, cookie analysis, and a detailed view of the URLs from the victim device

Why Are Cookies Valuable to Attackers and Session Hijacking Risks?

A web session refers to the active interaction between a user and a web application, maintained by a unique session ID stored in the browser’s cookies. These cookies act as a temporary digital “key” that verifies a user’s identity after they have successfully logged in.

Because these tokens represent an already-authenticated state, stolen session cookies allow attackers to completely bypass Multi-Factor Authentication (MFA). In a technique known as a “Pass-the-Cookie” attack, adversaries extract the decrypted cookies from the victim’s machine and use them directly. By doing so, the application server believes the attacker is the legitimate user who has already passed the MFA challenge, granting them seamless, undetected access.

Once a session is hijacked, attackers can move laterally to access collaboration tools (like Slack or Teams), developer environments (like Jira or GitHub), and sensitive cloud storage (like SharePoint).

Detailed look at the data leaked from the compromised machine

How to Identify Organizational Exposure?

Once a stealer log has been parsed and its credentials and cookies analyzed, the investigation must pivot to answering a critical question: What exactly is exposed? Identifying the compromise requires mapping the stolen data against the organization’s attack surface, internal systems, and third-party vendor network.

With advanced filtering options, you can filter your organization to see the scale of the exposure

To determine exposure, analysts must systematically filter the files for domains that match the company’s infrastructure. This is not limited to public-facing websites; analysts must also hunt for high-risk authentication endpoints such as SSO/IdP portals (e.g., ADFS, Okta), VPN gateways, and RDP/remote access points.

Modern enterprises rely heavily on cloud and SaaS applications, making them prime targets for threat actors who parse logs for access to these specific environments.

• Stealer logs frequently contain access to platforms like Slack, Microsoft 365, GitHub, and Jira. For example, the HellCat ransomware group successfully breached Telefónica by exploiting Jira credentials harvested by an infostealer.
• Access to AWS, Azure, or Google Cloud control panels poses an immediate risk of data exfiltration and infrastructure manipulation. Because infostealers often capture active session cookies alongside passwords, attackers can replay these cookies to directly bypass Multi-Factor Authentication (MFA) and seamlessly hijack active sessions in these SaaS applications.

An organization’s exposure does not stop at its own employees. Supply chain compromises via stealer logs represent one of the most significant and rapidly growing threats. Attackers actively mine logs for credentials belonging to third-party vendors, contractors, and managed service providers who have access to the target organization’s network.

• The Snowflake Breach: In 2024, threat actors compromised 165 organizations by exploiting credentials stolen by infostealers from developer machines and third-party contractors, bypassing traditional security boundaries.
• The Samsung Germany Leak: A threat actor leaked 270,000 customer support tickets from Samsung Germany. The breach did not originate from Samsung’s internal network, but from a 2021 infostealer infection that harvested the login credentials of an employee at Spectos, a third-party vendor managing the ticketing system. Security teams must therefore monitor external threat intelligence feeds not just for their own domains, but for the domains of critical suppliers and partners.

Correlating Logs With Threat Intelligence

To effectively neutralize an infostealer compromise, security teams must look beyond the isolated infected endpoints. Correlating the extracted log data with broader threat intelligence helps analysts determine the severity of the breach, anticipate the attacker’s next moves, and identify hidden network exposures.

By using the data you gathered along the way, you can continue outward-facing investigations

Identifying the specific malware family responsible for the log (e.g., Lumma, RedLine, StealC, or Vidar) provides critical context about the threat actor’s Tactics, Techniques, and Procedures (TTPs). Knowing the malware family helps trace the infection back to specific delivery campaigns. This context is vital for tracing the root cause and updating web filters or email gateways to block the initial entry point.

Understanding where and how the log is being distributed dictates the urgency and type of the required response. Threat actors monetize stealer logs across a sprawling underground economy, and CTI platforms actively monitor these spaces:

• Marketplaces: Marketplaces allow buyers to instantly search massive databases of stolen logs for specific corporate domains or session cookies.
• Telegram Channels and Forums: Threat actors frequently use Telegram bots to distribute logs directly or auction them on elite hacking forums.
• Initial Access Brokers (IABs): If a log containing privileged corporate access (like VPN or SSO credentials) is intercepted in a private offering by an IAB, it often signals an impending, high-severity ransomware attack, as these brokers sell directly to ransomware affiliates.

Analyzing the malware itself or the network telemetry surrounding the infection time can yield valuable Indicators of Compromise (IOCs). Infostealers must communicate with an attacker-controlled Command and Control (C2) server to exfiltrate the packaged log archive.

• By extracting these C2 IP addresses, domains, and file hashes, defenders can integrate them into SIEM and EDR platforms.
• This allows the security team to actively threat-hunt across the network, identifying if any other internal devices have communicated with the same malicious infrastructure, thereby uncovering hidden infections.

With our Threat Hunting module, you can access detailed information about the threat actor and more

From Intelligence to Incident Response

• Assess Log Freshness: Not every stealer log indicates an active breach. Many contain outdated or recycled data. Prioritize logs and use the extraction timestamp to correlate the log with internal telemetry and search for suspicious activity.

• Containment: Isolate the infected device through EDR network isolation, VPN restriction, or manual disconnection. Avoid shutting the system down immediately because memory artifacts, such as running processes, may be lost. Suspend the affected user’s accounts while the investigation continues.

• Credential Resets: Reset all exposed credentials (email, SSO, VPN, cloud applications) from a clean device. In hybrid AD environments, a second password reset may be used during compromise recovery to invalidate credential material that could persist due to synchronization delays.

• Session Invalidation: Password resets may not terminate all active sessions. Explicitly revoke active sessions and refresh tokens through the identity provider.

• Phishing-Resistant MFA: Deploy phishing-resistant methods such as FIDO2 or WebAuthn. These reduce credential phishing risk, but stolen session cookies must still be handled through token revocation and monitoring.

• Endpoint Investigation: Preserve forensic evidence (disk images, memory dumps, network captures) before remediation. Investigate for command-and-control activity and persistence mechanisms. Do not rely on antivirus alone. If stealer malware execution is confirmed, rebuilding the device from a clean image is often the safest remediation.

• Ongoing Monitoring: Configure behavioral analytics to detect post-authentication anomalies such as impossible travel, unusual data access, and concurrent sessions. Monitor Dark Web sources for exposed credentials so response actions can be taken early.

Conclusion

Stealer logs are no longer just another risk factor; they have become the driving force behind credential-based attacks, ransomware deployments, and sophisticated cyber intrusions. However, while they pose an immense threat, they also offer security teams a critical advantage: an early warning system.

Stealer logs frequently appear in Dark Web markets, automated shops, and Telegram groups weeks before victims even realize their systems have been breached. By actively monitoring for leaked credentials and session data, security teams gain unparalleled early visibility into account compromise, sometimes discovering infections that evade internal endpoint detection entirely.

Monitoring these illicit sources gives incident responders a vital window of opportunity to take action, such as enforcing password resets and revoking session tokens before an attacker or initial access broker can use the stolen access to penetrate the corporate network.

Ultimately, understanding and investigating stealer logs allows organizations to move beyond a reactive posture. Proper investigation transforms these logs from simple records of past compromise into vital external threat telemetry. When integrated effectively, investigating stealer logs enables organizations to move from passive intelligence gathering to an active defense, converting raw data into decisive action and measurable risk reduction.