Stealer Logs#

Reference catalog of infostealer malware families and the marketplaces that resell their output. Stealer logs differ from breaches in structure: a victim machine runs infostealer malware, the operator collects browser-stored credentials, cookies, autofill, crypto wallets, and host fingerprint, then bulk-sells the resulting “logs” through dark-web markets. One log is one infected host. Operators move millions of logs per month.

For lookup of a specific family or market, use the references at the end. For working caches of leaked or seized stealer datasets, haveibeenpwned.com integrates several; intelx.io and DDoSecrets host more.

By Name (A-Z)#

Family / Market

Volume

Target

Operator

Ngrams & Search Queries

2easy.shop

700K+ logs (2021 peak)

Marketplace reselling RedLine / Raccoon output

Russian-speaking operator (unattributed)

“2easy shop stealer logs”, “2easy market RedLine”

AcridRain

emerging

Browser creds, crypto wallets (~80 wallet apps)

Russian-speaking developer

“AcridRain stealer 2023”, “AcridRain wallet stealer MaaS”

Aurora Stealer

2022-2023 active

Go-based; browser creds, wallets, FTP, Telegram

Sold as MaaS on forums

“Aurora stealer Go MaaS”, “Aurora stealer cluster”

Azorult

millions of logs

Browser, FTP, IM, crypto wallets

Sold on Russian forums

“Azorult stealer”, “Azorult campaign telemetry”

BlackGuard

2021-2022 active

50+ browsers / wallets / 2FA extensions

Russian-speaking developer

“BlackGuard stealer 2022”, “BlackGuard MaaS”

Cl0p (data-leak site)

2,700+ orgs (post-MOVEit)

Mostly exfil from extorted orgs; not a stealer per se

Cl0p ransomware crew

“cl0p leak site”, “cl0p data leak portal”

Genesis Market

1.5M+ bots (seized 2023)

Browser fingerprint + cookie bundles

Russian-speaking operator (FBI Operation Cookie Monster)

“genesis market FBI seizure 2023”, “genesis bots cookie monster”

Lumma Stealer (LummaC2)

1M+ infected hosts (2024 est.)

Browsers, wallets, 2FA tokens; widely sold

“Shamel” / “Lummac” (Russian-speaking)

“lumma stealer 2024”, “LummaC2 MaaS dark web”

Mars Stealer

2021-2022 active

Fork of Oski; browsers and wallets

Sold on forums

“Mars stealer 2022”, “Mars Oski fork”

MetaStealer

2022+

Browsers, IM (Telegram / Discord), wallets

Sold as MaaS

“MetaStealer 2022 campaign”, “MetaStealer Redline fork”

Nexus Market

early phase

Cookie / browser bundles (Genesis-style)

Genesis-aftermath actors

“Nexus market genesis successor”, “Nexus market cookies”

Phemedrone

2024 active (CVE-2023-36025 SmartScreen bypass)

Browser, wallets, Discord, Steam

Open-source on GitHub

“Phemedrone 2024 SmartScreen”, “Phemedrone CVE-2023-36025”

Raccoon Stealer (v1, v2)

millions of logs

Browser, mail, wallets, autofill

Mark Sokolovsky (arrested 2022); v2 by same group

“raccoon stealer v2”, “mark sokolovsky raccoon”

RedLine Stealer

tens of millions of logs

Browser, FTP, IM, crypto, VPN configs, gaming launchers

Russian-speaking MaaS operator

“RedLine stealer 2021”, “RedLine MaaS logs telegram”

RisePro

2023+ active

Browsers, wallets, files; sometimes paired with PrivateLoader

MaaS forum sales

“RisePro stealer 2023”, “RisePro PrivateLoader”

Russian Market

millions of logs

Marketplace reselling RedLine / Vidar / AZORult / Raccoon

Long-running Russian-speaking operator

“russian market stealer logs”, “russianmarket cards bots”

Snowflake credential dump

165 tenants (~10TB downstream)

Snowflake customers without MFA (Ticketmaster, AT&T, etc.)

UNC5537 (Connor Moucka et al.); stealer-sourced creds

“snowflake stealer logs 2024”, “UNC5537 stealer source”

StealC

2023+ active

Browser, wallets; modular plugin design

“Plymouth” (forum handle)

“StealC stealer 2023”, “StealC plymouth MaaS”

Stealerium

2022+

Open-source on GitHub; webcam capture; gaming creds

Various forks / private builds

“Stealerium open source 2022”, “Stealerium github fork”

Titan Stealer

2023+

Crypto wallets, browser, gaming creds

Telegram-channel sales

“Titan stealer 2023 telegram”, “Titan stealer MaaS”

Typhon Stealer

2022+

C#-based; browser, IM, FTP, wallets

Sold on forums

“Typhon stealer 2022”, “Typhon clipper logs”

Vidar

millions of logs

Browser, FTP, IM, wallets; sometimes loader-pair

Russian-speaking MaaS operator

“Vidar stealer 2019”, “Vidar MaaS arkei fork”

White Snake

2023+

Browser, wallets, Telegram, Steam, Discord

Russian-speaking developer

“White Snake stealer 2023”, “White Snake CIS exclusion”

Search Queries#

OSINT entry points for hunting stealer-log activity, families, operator handles, and victim datasets.

Hosted lookup#

Service

Pattern

Have I Been Pwned (stealer-log corpus)

https://haveibeenpwned.com/ (search by email; flags stealer-log presence).

IntelX

https://intelx.io/?s=<email|domain|hash>

DeHashed

https://dehashed.com/search?query=<term> (paid).

Snusbase

https://snusbase.com/ (paid stealer-log search).

Hudson Rock (Cavalier)

https://cavalier.hudsonrock.com/ (free check per domain).

Constella Intelligence

vendor portal; enterprise.

Google / Bing dorks#

Goal

Dork

Family-name reports

"<family>" intext:"stealer" site:any.run OR site:bleepingcomputer.com

YARA / Sigma rules

"<family>" filetype:yar OR filetype:yara

Telegram-channel scrapes

site:t.me "<family>" stealer logs

Forum threads

"<family>" intext:"sub" intext:"build" site:xss.is OR site:exploit.in

Sandbox URLs

site:tria.ge OR site:any.run OR site:joesandbox.com "<family>"

GitHub leaks / forks

site:github.com "<family>" stealer

Telegram and forum hunting#

Target

Pattern

Telegram channels

"<family>" logs cloud, "<family>" tg sub, "<family>" panel screenshot.

XSS.is forum threads

site:xss.is "<family>"

Exploit.in threads

site:exploit.in "<family>"

BreachForums (current alias)

site:breachforums.is OR site:breachforums.st "<family>"

Sample triage / pivot strings#

Goal

Query

Hash pivot

"<sha256>" any.run virustotal.com

C2 domain pivot

"<domain>" passivetotal censys.io shodan

Builder leak pivot

"<family> builder" cracked github

Indictment / takedown

"<family>" indictment FBI DOJ takedown

References#