Stealer Logs#
Reference catalog of infostealer malware families and the marketplaces that resell their output. Stealer logs differ from breaches in structure: a victim machine runs infostealer malware, the operator collects browser-stored credentials, cookies, autofill, crypto wallets, and host fingerprint, then bulk-sells the resulting “logs” through dark-web markets. One log is one infected host. Operators move millions of logs per month.
For lookup of a specific family or market, use the references at
the end. For working caches of leaked or seized stealer datasets,
haveibeenpwned.com integrates several; intelx.io and
DDoSecrets host more.
By Name (A-Z)#
Family / Market |
Volume |
Target |
Operator |
Ngrams & Search Queries |
|---|---|---|---|---|
2easy.shop |
700K+ logs (2021 peak) |
Marketplace reselling RedLine / Raccoon output |
Russian-speaking operator (unattributed) |
“2easy shop stealer logs”, “2easy market RedLine” |
AcridRain |
emerging |
Browser creds, crypto wallets (~80 wallet apps) |
Russian-speaking developer |
“AcridRain stealer 2023”, “AcridRain wallet stealer MaaS” |
Aurora Stealer |
2022-2023 active |
Go-based; browser creds, wallets, FTP, Telegram |
Sold as MaaS on forums |
“Aurora stealer Go MaaS”, “Aurora stealer cluster” |
Azorult |
millions of logs |
Browser, FTP, IM, crypto wallets |
Sold on Russian forums |
“Azorult stealer”, “Azorult campaign telemetry” |
BlackGuard |
2021-2022 active |
50+ browsers / wallets / 2FA extensions |
Russian-speaking developer |
“BlackGuard stealer 2022”, “BlackGuard MaaS” |
Cl0p (data-leak site) |
2,700+ orgs (post-MOVEit) |
Mostly exfil from extorted orgs; not a stealer per se |
Cl0p ransomware crew |
“cl0p leak site”, “cl0p data leak portal” |
Genesis Market |
1.5M+ bots (seized 2023) |
Browser fingerprint + cookie bundles |
Russian-speaking operator (FBI Operation Cookie Monster) |
“genesis market FBI seizure 2023”, “genesis bots cookie monster” |
Lumma Stealer (LummaC2) |
1M+ infected hosts (2024 est.) |
Browsers, wallets, 2FA tokens; widely sold |
“Shamel” / “Lummac” (Russian-speaking) |
“lumma stealer 2024”, “LummaC2 MaaS dark web” |
Mars Stealer |
2021-2022 active |
Fork of Oski; browsers and wallets |
Sold on forums |
“Mars stealer 2022”, “Mars Oski fork” |
MetaStealer |
2022+ |
Browsers, IM (Telegram / Discord), wallets |
Sold as MaaS |
“MetaStealer 2022 campaign”, “MetaStealer Redline fork” |
Nexus Market |
early phase |
Cookie / browser bundles (Genesis-style) |
Genesis-aftermath actors |
“Nexus market genesis successor”, “Nexus market cookies” |
Phemedrone |
2024 active (CVE-2023-36025 SmartScreen bypass) |
Browser, wallets, Discord, Steam |
Open-source on GitHub |
“Phemedrone 2024 SmartScreen”, “Phemedrone CVE-2023-36025” |
Raccoon Stealer (v1, v2) |
millions of logs |
Browser, mail, wallets, autofill |
Mark Sokolovsky (arrested 2022); v2 by same group |
“raccoon stealer v2”, “mark sokolovsky raccoon” |
RedLine Stealer |
tens of millions of logs |
Browser, FTP, IM, crypto, VPN configs, gaming launchers |
Russian-speaking MaaS operator |
“RedLine stealer 2021”, “RedLine MaaS logs telegram” |
RisePro |
2023+ active |
Browsers, wallets, files; sometimes paired with PrivateLoader |
MaaS forum sales |
“RisePro stealer 2023”, “RisePro PrivateLoader” |
Russian Market |
millions of logs |
Marketplace reselling RedLine / Vidar / AZORult / Raccoon |
Long-running Russian-speaking operator |
“russian market stealer logs”, “russianmarket cards bots” |
Snowflake credential dump |
165 tenants (~10TB downstream) |
Snowflake customers without MFA (Ticketmaster, AT&T, etc.) |
UNC5537 (Connor Moucka et al.); stealer-sourced creds |
“snowflake stealer logs 2024”, “UNC5537 stealer source” |
StealC |
2023+ active |
Browser, wallets; modular plugin design |
“Plymouth” (forum handle) |
“StealC stealer 2023”, “StealC plymouth MaaS” |
Stealerium |
2022+ |
Open-source on GitHub; webcam capture; gaming creds |
Various forks / private builds |
“Stealerium open source 2022”, “Stealerium github fork” |
Titan Stealer |
2023+ |
Crypto wallets, browser, gaming creds |
Telegram-channel sales |
“Titan stealer 2023 telegram”, “Titan stealer MaaS” |
Typhon Stealer |
2022+ |
C#-based; browser, IM, FTP, wallets |
Sold on forums |
“Typhon stealer 2022”, “Typhon clipper logs” |
Vidar |
millions of logs |
Browser, FTP, IM, wallets; sometimes loader-pair |
Russian-speaking MaaS operator |
“Vidar stealer 2019”, “Vidar MaaS arkei fork” |
White Snake |
2023+ |
Browser, wallets, Telegram, Steam, Discord |
Russian-speaking developer |
“White Snake stealer 2023”, “White Snake CIS exclusion” |
Search Queries#
OSINT entry points for hunting stealer-log activity, families, operator handles, and victim datasets.
Hosted lookup#
Service |
Pattern |
|---|---|
Have I Been Pwned (stealer-log corpus) |
|
IntelX |
|
DeHashed |
|
Snusbase |
|
Hudson Rock (Cavalier) |
|
Constella Intelligence |
vendor portal; enterprise. |
Google / Bing dorks#
Goal |
Dork |
|---|---|
Family-name reports |
|
YARA / Sigma rules |
|
Telegram-channel scrapes |
|
Forum threads |
|
Sandbox URLs |
|
GitHub leaks / forks |
|
Telegram and forum hunting#
Target |
Pattern |
|---|---|
Telegram channels |
|
XSS.is forum threads |
|
Exploit.in threads |
|
BreachForums (current alias) |
|
Sample triage / pivot strings#
Goal |
Query |
|---|---|
Hash pivot |
|
C2 domain pivot |
|
Builder leak pivot |
|
Indictment / takedown |
|
References#
Have I Been Pwned, integrates stealer-log presence checks per email.
Hudson Rock Cavalier, per-domain stealer-log exposure check.
Flashpoint, threat-actor and marketplace tracking.
Sekoia Threat Detection Research, ongoing stealer-family writeups.
KrebsOnSecurity, marketplace takedown coverage (Genesis, BreachForums, etc.).
Data Breaches, intrusion-driven incidents (compare).
Data Leaks, source-driven disclosures (compare).
Malware, malware families more broadly.