Infostealer Attack Chain

How infostealer operators all follow the same five-stage chokepoint sequence, regardless of family, brand, or C2 infrastructure.

Last updated: 2026-04-13

The Chokepoint Convergence Principle

Every actor in the matrix below follows the same sequence of stages. They must, because each stage reflects an unavoidable prerequisite condition. Their tools, loaders, and C2 infrastructure change constantly. The underlying chokepoints do not. Detect the prerequisite; catch any actor.

TTP Overlap Across Groups

Each card represents a MITRE ATT&CK technique. Dots indicate which groups or families use it. Cards with an orange border are universal chokepoints used by every tracked actor. Click an actor below to filter.

Execution
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Windows Command Shell
T1059.003
User Execution
T1204
Defense Evasion
Obfuscated Files or Information
T1027
Masquerading
T1036
Process Injection
T1055
Deobfuscate/Decode Files
T1140
Discovery
System Network Config Discovery
T1016
Network Service Discovery
T1046
File and Directory Discovery
T1083
Collection
Data from Local System
T1005
Automated Collection
T1119
Steal Web Session Cookie
T1539
Credentials In Files
T1552.001
Credentials from Web Browsers
T1555.003
Credential Access
Valid Accounts
T1078
Domain Accounts
T1078.002
Local Accounts
T1078.003
Password Guessing
T1110.001
Password Spraying
T1110.003
Exfiltration
Data Transfer Size Limits
T1030
Exfiltration Over C2 Channel
T1041
Exfil Over Alternative Protocol
T1048
Command and Control
Web Protocols
T1071.001
Non-Application Layer Protocol
T1095
Ingress Tool Transfer
T1105
Non-Standard Port
T1571

Chokepoint Opportunities by Stage

Each card shows the invariant prerequisite an attacker must satisfy at that stage, the top detection signals, and links to the full chokepoint analysis.

1 Distribution
Chokepoint

Delivery mechanism reaches target user's endpoint

Detection Signals
  • Download from newly registered domain (<90 days old)
  • Browser navigating to typosquatted software download site
  • Installer with missing or untrusted digital signature
2 Execution
Chokepoint

User action triggers payload (no AV block / sandbox)

Detection Signals
  • Executable launched from %USERPROFILE%\Downloads\ or %TEMP%\
  • Browser process spawning unexpected child process
  • LOLBin chain: mshta, wscript, rundll32 without legitimate parent
ClickFix Techniques
3 Collection
Chokepoint

File system access to browser profile dirs + DPAPI decryption privilege

Detection Signals
  • Non-browser process reading Chrome/Firefox SQLite credential stores
  • DPAPI CryptUnprotectData call from unexpected process
  • Bulk file reads under %APPDATA%\*\Chromium\ or %APPDATA%\Mozilla\
Browser Credential Theft
4 Exfiltration
Chokepoint

Outbound network connectivity from infected host

Detection Signals
  • Non-browser process making HTTPS POST with payload >1 MB
  • Outbound connection to Telegram Bot API (api.telegram.org) from non-user process
  • Compressed archive (.zip/.7z) created then immediately sent over network
5 Monetization
Chokepoint

Harvested credential data has market value; buyer infrastructure exists

Detection Signals
  • VPN/SaaS login from new geo-location with valid credentials (downstream)
  • Session token reuse from unfamiliar IP/device fingerprint
  • Account behavior anomaly after credential exposure window

Actor Convergence Matrix 5 actors tracked

Different tools. Different operators. Same chokepoints. The highlighted bottom row shows the invariant prerequisite condition your detections must cover, regardless of which actor you're facing.

Actor Distribution Execution Collection Exfiltration Monetization
RedLine
Disrupted		 Malvertising / cracked software SEO User double-clicks fake installer EXE Chrome/Firefox SQLite + crypto wallets (DPAPI) HTTPS POST to C2 panel IAB dark web marketplace sale
LummaC2
Active		 Fake CAPTCHA / ClickFix lure pages LOLBin chain (mshta, wscript, rundll32) Browsers + 2FA extensions + crypto wallets (DPAPI) Encrypted HTTPS POST to rotating C2 IAB sale + direct RaaS operator supply
Vidar
Active		 Malvertising / YouTube description links MSI / NSIS installer execution Browsers + 2FA tokens + crypto wallets (DPAPI + Telegram token) HTTP POST + Telegram Bot API C2 IAB marketplace listing
StealC
Active		 SEO poisoning / malvertising User-executed signed-looking binary Browsers + Discord tokens + Telegram sessions HTTP POST to admin panel IAB sale / direct buyer negotiation
Raccoon
Disrupted (operator arrested)		 Phishing / malvertising User-executed EXE or MSI Browsers + email clients + crypto wallets HTTP POST to C2 IAB marketplace
The Chokepoint Delivery mechanism reaches target user's endpoint User action triggers payload (no AV block / sandbox) File system access to browser profile dirs + DPAPI decryption privilege Outbound network connectivity from infected host Harvested credential data has market value; buyer infrastructure exists

Research Methodology

Procedure-level data in this attack chain was extracted and corroborated using Kitsune, an AI-driven threat intelligence pipeline. 13 vendor and government reports were analyzed across 5 infostealer families, with cross-report corroboration used to validate convergence patterns. Reports were sourced from ORKL and direct vendor publications including CISA, Trend Micro, Palo Alto Unit 42, Zscaler, Cybereason, Sekoia, and Picus Security. Only techniques observed in two or more families appear in the TTP diagram above. Actor-specific procedures are recorded in the source data but filtered from the convergence view.

  • Ransomware - Often follows infostealer-provided access
  • AiTM / Phishing Kits - Session tokens harvested by infostealers enable AiTM-style account takeover