Infostealer Attack Chain

How infostealer operators all follow the same five-stage chokepoint sequence — regardless of family, brand, or C2 infrastructure.

Last updated: 2025-01-15

The Chokepoint Convergence Principle

Every actor in the matrix below follows the same sequence of stages — they must, because each stage reflects an unavoidable prerequisite condition. Their tools, loaders, and C2 infrastructure change constantly. The underlying chokepoints do not. Detect the prerequisite; catch any actor.

TTP Overlap Across Groups

Each box represents a MITRE ATT&CK technique. Colored dots indicate which groups or families use that technique — techniques where all dots are filled are universal chokepoints and the highest-value targets for detection engineering. Hover or focus a technique for detail.

RedLine LummaC2 Vidar StealC Raccoon
Infostealer Attack Chain — TTP overlap diagram

Attack Flow

Three swimlanes show the attacker's actions, mapped ATT&CK techniques, and detection posture at each stage. Exploited (detection gap) Detected (opportunity) Blocked (control active) Hover or focus a stage for ATT&CK detail.

Infostealer Attack Chain — attack flow diagram Attack chain with 5 stages: Distribution, Execution, Collection, Exfiltration, Monetization. Stages are color-coded by detection posture: red = exploited (gap), yellow = detected (opportunity), green = blocked (control active). ATTACKER ATT&CK DETECTION Distribution TA0001 Malvertising / SEO poison T1608.005 T1566.002 DETECTED Browser · DNS Execution TA0002 LOLBin chain / fake instal T1204.002 T1059.005 T1218.005 DETECTED Endpoint Collection TA0009 Browser DB / DPAPI decrypt T1555.003 T1539 EXPLOITED Endpoint · Browser Exfiltration TA0010 HTTPS POST to C2 / Telegra T1041 T1048 DETECTED Network · Firewall Monetization TA0040 IAB sale · Session replay T1657 T1078 ? UNKNOWN Dark web · SaaS

Chokepoint Opportunities by Stage

Each card shows the invariant prerequisite an attacker must satisfy at that stage, the top detection signals, and links to the full chokepoint analysis.

1 Distribution
Chokepoint

Delivery mechanism reaches target user's endpoint

Detection Signals
  • Download from newly registered domain (<90 days old)
  • Browser navigating to typosquatted software download site
  • Installer with missing or untrusted digital signature
2 Execution
Chokepoint

User action triggers payload (no AV block / sandbox)

Detection Signals
  • Executable launched from %USERPROFILE%\Downloads\ or %TEMP%\
  • Browser process spawning unexpected child process
  • LOLBin chain: mshta → wscript → rundll32 (no legitimate parent)
ClickFix Techniques
3 Collection
Chokepoint

File system access to browser profile dirs + DPAPI decryption privilege

Detection Signals
  • Non-browser process reading Chrome/Firefox SQLite credential stores
  • DPAPI CryptUnprotectData call from unexpected process
  • Bulk file reads under %APPDATA%\*\Chromium\ or %APPDATA%\Mozilla\
Browser Credential Theft
4 Exfiltration
Chokepoint

Outbound network connectivity from infected host

Detection Signals
  • Non-browser process making HTTPS POST with payload >1 MB
  • Outbound connection to Telegram Bot API (api.telegram.org) from non-user process
  • Compressed archive (.zip/.7z) created then immediately sent over network
5 Monetization
Chokepoint

Harvested credential data has market value; buyer infrastructure exists

Detection Signals
  • VPN/SaaS login from new geo-location with valid credentials (downstream)
  • Session token reuse from unfamiliar IP/device fingerprint
  • Account behavior anomaly after credential exposure window

Actor Convergence Matrix 5 actors tracked

Different tools. Different operators. Same chokepoints. The highlighted bottom row shows the invariant prerequisite condition your detections must cover — regardless of which actor you're facing.

Actor Distribution Execution Collection Exfiltration Monetization
RedLine Disrupted Malvertising / cracked software SEO User double-clicks fake installer EXE Chrome/Firefox SQLite + crypto wallets (DPAPI) HTTPS POST to C2 panel IAB dark web marketplace sale
LummaC2 Active Fake CAPTCHA / ClickFix lure pages LOLBin chain (mshta → wscript → rundll32) Browsers + 2FA extensions + crypto wallets (DPAPI) Encrypted HTTPS POST to rotating C2 IAB sale + direct RaaS operator supply
Vidar Active Malvertising / YouTube description links MSI / NSIS installer execution Browsers + 2FA tokens + crypto wallets (DPAPI + Telegram token) HTTP POST + Telegram Bot API C2 IAB marketplace listing
StealC Active SEO poisoning / malvertising User-executed signed-looking binary Browsers + Discord tokens + Telegram sessions HTTP POST to admin panel IAB sale / direct buyer negotiation
Raccoon Disrupted Phishing / malvertising User-executed EXE or MSI Browsers + email clients + crypto wallets HTTP POST to C2 IAB marketplace
The Chokepoint Delivery mechanism reaches target user's endpoint User action triggers payload (no AV block / sandbox) File system access to browser profile dirs + DPAPI decryption privilege Outbound network connectivity from infected host Harvested credential data has market value; buyer infrastructure exists

References

  • Ransomware - Often follows infostealer-provided access