Infostealer Attack Chain
The chokepoint sequence every infostealer must follow.
Same stages, different tools. Each stage is an unavoidable prerequisite - the underlying chokepoints don't change. Detect the prerequisite; catch any actor.
TTP Overlap Across Groups
Technique cards with actor dots. Orange border = used by all actors. Click actors to filter; a cyan glow marks techniques shared by every selected actor.
Chokepoint Opportunities by Stage
Invariant prerequisite per stage, top signals, and links to the full chokepoint analysis.
Delivery mechanism reaches target user's endpoint
- Download from newly registered domain (<90 days old)
- Browser navigating to typosquatted software download site
- Installer with missing or untrusted digital signature
User action triggers payload (no AV block / sandbox)
- Executable launched from %USERPROFILE%\Downloads\ or %TEMP%\
- Browser process spawning unexpected child process
- LOLBin chain: mshta, wscript, rundll32 without legitimate parent
File system access to browser profile dirs + DPAPI decryption privilege
- Non-browser process reading Chrome/Firefox SQLite credential stores
- DPAPI CryptUnprotectData call from unexpected process
- Bulk file reads under %APPDATA%\*\Chromium\ or %APPDATA%\Mozilla\
Outbound network connectivity from infected host
- Non-browser process making HTTPS POST with payload >1 MB
- Outbound connection to Telegram Bot API (api.telegram.org) from non-user process
- Compressed archive (.zip/.7z) created then immediately sent over network
Harvested credential data has market value; buyer infrastructure exists
- VPN/SaaS login from new geo-location with valid credentials (downstream)
- Session token reuse from unfamiliar IP/device fingerprint
- Account behavior anomaly after credential exposure window
Actor Convergence Matrix 5 actors tracked
Different tools, different operators - same chokepoints. Bottom row: the invariant your detections must cover.
| Actor | Distribution | Execution | Collection | Exfiltration | Monetization |
|---|---|---|---|---|---|
| RedLine Disrupted |
Malvertising / cracked software SEO | User double-clicks fake installer EXE | Chrome/Firefox SQLite + crypto wallets (DPAPI) | HTTPS POST to C2 panel | IAB dark web marketplace sale |
| LummaC2 Active |
Fake CAPTCHA / ClickFix lure pages | LOLBin chain (mshta, wscript, rundll32) | Browsers + 2FA extensions + crypto wallets (DPAPI) | Encrypted HTTPS POST to rotating C2 | IAB sale + direct RaaS operator supply |
| Vidar Active |
Malvertising / YouTube description links | MSI / NSIS installer execution | Browsers + 2FA tokens + crypto wallets (DPAPI + Telegram token) | HTTP POST + Telegram Bot API C2 | IAB marketplace listing |
| StealC Active |
SEO poisoning / malvertising | User-executed signed-looking binary | Browsers + Discord tokens + Telegram sessions | HTTP POST to admin panel | IAB sale / direct buyer negotiation |
| Raccoon Disrupted (operator arrested) |
Phishing / malvertising | User-executed EXE or MSI | Browsers + email clients + crypto wallets | HTTP POST to C2 | IAB marketplace |
| The Chokepoint | Delivery mechanism reaches target user's endpoint | User action triggers payload (no AV block / sandbox) | File system access to browser profile dirs + DPAPI decryption privilege | Outbound network connectivity from infected host | Harvested credential data has market value; buyer infrastructure exists |
Analysis & References
Research Methodology
Source: Kitsune pipeline over ORKL + vendor reports - 13 reports / 5 families. Convergent techniques only.
Related Attack Chains
- Ransomware - Often follows infostealer-provided access
- AiTM / Phishing Kits - Session tokens harvested by infostealers enable AiTM-style account takeover