Attack Chains Updated 2026-04-13

Infostealer Attack Chain

The chokepoint sequence every infostealer must follow.

The Chokepoint Convergence Principle

Same stages, different tools. Each stage is an unavoidable prerequisite - the underlying chokepoints don't change. Detect the prerequisite; catch any actor.

TTP Overlap Across Groups

Technique cards with actor dots. Orange border = used by all actors. Click actors to filter; a cyan glow marks techniques shared by every selected actor.

Execution
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Windows Command Shell
T1059.003
User Execution
T1204
Defense Evasion
Obfuscated Files or Information
T1027
Masquerading
T1036
Process Injection
T1055
Deobfuscate/Decode Files
T1140
Discovery
System Network Config Discovery
T1016
Network Service Discovery
T1046
File and Directory Discovery
T1083
Collection
Data from Local System
T1005
Automated Collection
T1119
Steal Web Session Cookie
T1539
Credentials In Files
T1552.001
Credentials from Web Browsers
T1555.003
Credential Access
Valid Accounts
T1078
Domain Accounts
T1078.002
Local Accounts
T1078.003
Password Guessing
T1110.001
Password Spraying
T1110.003
Exfiltration
Data Transfer Size Limits
T1030
Exfiltration Over C2 Channel
T1041
Exfil Over Alternative Protocol
T1048
Command and Control
Web Protocols
T1071.001
Non-Application Layer Protocol
T1095
Ingress Tool Transfer
T1105
Non-Standard Port
T1571

Chokepoint Opportunities by Stage

Invariant prerequisite per stage, top signals, and links to the full chokepoint analysis.

1 Distribution
Chokepoint

Delivery mechanism reaches target user's endpoint

Detection Signals
  • Download from newly registered domain (<90 days old)
  • Browser navigating to typosquatted software download site
  • Installer with missing or untrusted digital signature
2 Execution
Chokepoint

User action triggers payload (no AV block / sandbox)

Detection Signals
  • Executable launched from %USERPROFILE%\Downloads\ or %TEMP%\
  • Browser process spawning unexpected child process
  • LOLBin chain: mshta, wscript, rundll32 without legitimate parent
3 Collection
Chokepoint

File system access to browser profile dirs + DPAPI decryption privilege

Detection Signals
  • Non-browser process reading Chrome/Firefox SQLite credential stores
  • DPAPI CryptUnprotectData call from unexpected process
  • Bulk file reads under %APPDATA%\*\Chromium\ or %APPDATA%\Mozilla\
4 Exfiltration
Chokepoint

Outbound network connectivity from infected host

Detection Signals
  • Non-browser process making HTTPS POST with payload >1 MB
  • Outbound connection to Telegram Bot API (api.telegram.org) from non-user process
  • Compressed archive (.zip/.7z) created then immediately sent over network
5 Monetization
Chokepoint

Harvested credential data has market value; buyer infrastructure exists

Detection Signals
  • VPN/SaaS login from new geo-location with valid credentials (downstream)
  • Session token reuse from unfamiliar IP/device fingerprint
  • Account behavior anomaly after credential exposure window

Actor Convergence Matrix 5 actors tracked

Different tools, different operators - same chokepoints. Bottom row: the invariant your detections must cover.

Actor Distribution Execution Collection Exfiltration Monetization
RedLine
Disrupted
Malvertising / cracked software SEO User double-clicks fake installer EXE Chrome/Firefox SQLite + crypto wallets (DPAPI) HTTPS POST to C2 panel IAB dark web marketplace sale
LummaC2
Active
Fake CAPTCHA / ClickFix lure pages LOLBin chain (mshta, wscript, rundll32) Browsers + 2FA extensions + crypto wallets (DPAPI) Encrypted HTTPS POST to rotating C2 IAB sale + direct RaaS operator supply
Vidar
Active
Malvertising / YouTube description links MSI / NSIS installer execution Browsers + 2FA tokens + crypto wallets (DPAPI + Telegram token) HTTP POST + Telegram Bot API C2 IAB marketplace listing
StealC
Active
SEO poisoning / malvertising User-executed signed-looking binary Browsers + Discord tokens + Telegram sessions HTTP POST to admin panel IAB sale / direct buyer negotiation
Raccoon
Disrupted (operator arrested)
Phishing / malvertising User-executed EXE or MSI Browsers + email clients + crypto wallets HTTP POST to C2 IAB marketplace
The Chokepoint Delivery mechanism reaches target user's endpoint User action triggers payload (no AV block / sandbox) File system access to browser profile dirs + DPAPI decryption privilege Outbound network connectivity from infected host Harvested credential data has market value; buyer infrastructure exists

Analysis & References

Research Methodology

Source: Kitsune pipeline over ORKL + vendor reports - 13 reports / 5 families. Convergent techniques only.

  • Ransomware - Often follows infostealer-provided access
  • AiTM / Phishing Kits - Session tokens harvested by infostealers enable AiTM-style account takeover