← All Chokepoints CRITICAL

Infostealer Browser Credential Theft

Credential Access Collection Exfiltration T1555.003 T1539 T1041 Detection difficulty: MEDIUM Prevalence: HIGH

Infostealers systematically harvest credentials, cookies, and autofill data from browser credential databases — the single invariant behavior across all stealer families regardless of obfuscation or bypass technique. Hudson Rock tracks 30+ million infected computers; 1.8 billion credentials were stolen in 2025 alone, with enterprise credentials present in 14% of infections (up from 6% in early 2024). The Snowflake breach (2024) demonstrated downstream impact: UNC5537 used infostealer-harvested credentials for initial access to 160+ organizations. LummaC2 (51% of dark web credential logs before its May 2025 takedown), Stealc, RedLine, Raccoon, Vidar, AMOS, and Medusa all share the invariant: the stealer process must open browser credential files (Login Data, Cookies, logins.json) and invoke CryptUnprotectData() or NSS3 decryption — a kernel-observable event regardless of family or Chrome App-Bound Encryption bypass technique used.

By @iimp0ster · Updated 2026-03-15 · View source YAML

Prerequisites (Environmental)

• ✓ Code execution on victim machine (via ClickFix, malvertising, cracked software, game cheats, SEO poisoning, YouTube malware, or social engineering)
• ✓ Target must use a Chromium-based browser (Chrome, Edge, Brave, Opera, etc.) or Firefox
• ✓ Browser credential database files must be accessible (not locked by exclusive handle — Chrome Login Data is typically not exclusively locked)
• ✓ {"For App-Bound Encryption bypass variants"=>"Chrome must be installed (COM elevation requires GoogleChromeElevationService); OR Chrome must be running (CDP bypass); OR stealer must have code injection capability (memory injection bypass)"}
• ✓ Outbound network access for C2 exfiltration (though some variants stage locally and exfiltrate via separate channel)

Variations

Tools and methods that exploit this chokepoint — the list grows; the chokepoint doesn't change:

LummaC2 Disrupted (May 2025) / Active (rebrand expected)

2022-Q4

The dominant infostealer MaaS of 2024-2025, representing 51% of all dark web credential logs at peak. Delivered primarily via ClickFix (517% surge in 2025 ClickFix attacks) and malvertising. Targets 50+ Chromium-based browsers, Firefox profiles, cryptocurrency wallets, and 2FA applications. Despite law enforcement disruption, successor variants and rebrands are anticipated based on historical patterns (Raccoon v1 → v2, RedLine → successors, etc.).

Source →

Stealc Active

2023-Q1

Emerged January 2023; lightweight MaaS stealer with modular plugin architecture. Targets Chromium browsers, Firefox, cryptocurrency wallets, and messaging apps (Discord, Telegram). Marketed on dark web forums as a "lightweight" alternative with per-target module loading to reduce detection footprint. Active through 2025-2026 across commodity and targeted campaigns.

RedLine Disrupted (Oct 2024) / Variants Active

2020-Q1

One of the longest-running stealer families; dominated the market from 2020-2024. Targets all Chromium browsers and Firefox; also harvests VPN credentials, FTP clients, cryptocurrency wallets, and system information. Despite takedown, RedLine-derived code and techniques persist in successor families.

Source →

Raccoon v2 Active

2022-Q3

Raccoon Stealer v1 shut down March 2022 when lead developer was arrested; v2 relaunched June 2022 with rewritten C++ codebase. Targets 60+ browsers including all major Chromium variants and Firefox. Employs DPAPI-based decryption for Chromium credentials. Continuously updated with new browser support and evasion techniques through 2025.

Vidar 2.0 Active

2025-Q4

Complete rewrite of original Vidar stealer (2018) released October 2025 as pure C implementation. Introduced memory injection technique to bypass Chrome App-Bound Encryption by injecting into the chrome.exe process itself and calling decryption APIs from within the trusted process context. Represents the most technically sophisticated App-Bound bypass approach documented to date.

AMOS (Atomic macOS Stealer) Active

2023-Q2

macOS-targeting infostealer marketed on Telegram for ~$1,000/month. Targets Safari Keychain, all Chromium browsers, Firefox, MetaMask, cryptocurrency wallets, and system information. Uses osascript to prompt for administrator password, bypassing macOS protections. Demonstrates that the browser credential database chokepoint applies cross-platform — macOS browsers use platform-native keychain APIs but the file access pattern is identical.

EDDIESTEALER Active

2025-Q2

Identified May 2025; notable for Chrome App-Bound Encryption bypass via Chrome DevTools Protocol (CDP) — connects to a running Chrome instance in debug mode to extract cookies without needing to decrypt the database directly. Represents the third major App-Bound bypass approach (alongside COM elevation and memory injection).

Medusa Stealer Active

2024-Q1

Supports credential harvesting from 100+ browsers — the broadest browser coverage of any tracked stealer family. Targets all Chromium and Gecko-based browsers, Electron apps storing credentials, and password managers. MaaS subscription model on dark web forums. Demonstrates that comprehensive browser coverage is a competitive differentiator in the stealer market.

Chrome App-Bound Encryption Bypass (COM Elevation) Active

2024-Q3

First documented bypass of Chrome App-Bound Encryption (introduced July 30, 2024), achieved within 45 days (September 12, 2024). Technique: elevate via GoogleChromeElevationService COM interface to call decryption in a trusted context. Multiple families rapidly adopted this approach; Google patched but new bypasses emerged within weeks, demonstrating the cat-and-mouse pattern in App-Bound Encryption defense.

Source →

North Korean APT Infostealer Operations Active

2024-Q1

North Korean threat actors (LAZARUS GROUP / HIDDEN COBRA) incorporated infostealer deployment into their tradecraft for financial operations. Connected to the February 2025 ByBit cryptocurrency exchange heist ($1.4B — the largest cryptocurrency theft in history). Hudson Rock 2026 trend report highlights the "infostealer-to-APT pipeline" where stealer credentials enable nation-state initial access without traditional spearphishing. Demonstrates infostealers as strategic intelligence-gathering tools, not just commodity theft.

Contagious Interview (OtterCookie / North Korean Fake Job Interview Stealer) Active

2024-Q3

North Korean actors deliver OtterCookie JavaScript backdoor via fake developer job interviews, using malicious NPM packages or VS Code task configurations to achieve code execution and steal crypto keys and credentials. Evolved with heavy obfuscation since October 2025.

Storm-2561 Fake VPN Client Stealer Active

2025-Q2

Storm-2561 uses SEO poisoning to lure users searching for enterprise VPN software (Pulse Secure, Fortinet, Ivanti, Cisco) to spoofed download sites redirecting to GitHub-hosted ZIP files containing MSI installers. The trojanized installer side-loads malicious DLLs signed by 'Taiyuan Lihua Near Information Technology Co., Ltd.' to harvest VPN credentials and browser credentials, then exfiltrates them. By 2026-Q1 the campaign expanded targeting to additional enterprise VPN clients, shifting lures toward corporate users rather than consumer software seekers.

Detection Strategy

Build detections iteratively. Start broad to understand your baseline, then tighten to production-ready.

Goal: Log all non-browser process access to browser credential database files

Log Sources

• Sysmon Event ID 10 (Process Access)
• Sysmon Event ID 11 (File Created / File Access)
• Windows Security Event ID 4663 (File Access — requires Object Access auditing)
• EDR file open telemetry (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint)

FP Rate: Medium (password managers, backup tools, some AV products)

Use Case: Baseline legitimate access patterns; identify which processes routinely touch browser databases; validate EDR file access telemetry completeness

Detection Logic

File Access (EID 4663 or Sysmon EID 10/11):
  TargetObject / TargetFilename:
    contains: \Google\Chrome\User Data\Default\Login Data
    OR contains: \Google\Chrome\User Data\Default\Cookies
    OR contains: \Google\Chrome\User Data\Local State
    OR contains: \Mozilla\Firefox\Profiles\
    OR contains: \Microsoft\Edge\User Data\Default\Login Data
    OR contains: \BraveSoftware\Brave-Browser\User Data\Default\Login Data
  AccessingProcess: NOT (chrome.exe OR msedge.exe OR brave.exe OR firefox.exe OR
                         opera.exe OR vivaldi.exe OR browser update processes)
Purpose: Build baseline of ALL non-browser processes accessing browser credential files; identify environments where this occurs legitimately (password managers, backup tools) vs. anomalous access.

Sigma Rule — Research Level

View on GitHub Download

title: Infostealer — Non-Browser Process Access to Browser Credential Database (Research Baseline)
id: 632a951f-4e57-4c9f-b1dc-32641904d61f
status: experimental
description: >
  Broad visibility rule capturing all file access events where a non-browser process
  opens a browser credential database file (Chrome Login Data, Cookies, Local State;
  Firefox logins.json or key4.db; Edge/Brave/Opera equivalents). This is the invariant
  behavior across every major infostealer family — LummaC2, RedLine, Raccoon v2, Vidar,
  Stealc, AMOS, Medusa, and EDDIESTEALER — regardless of obfuscation, packer, or
  Chrome App-Bound Encryption bypass technique. The browser process writes these files;
  only the browser, known password managers, and backup agents should legitimately read
  them. Any other process accessing these paths is anomalous by design.
  High false positive rate expected; purpose is environmental baselining to identify
  legitimate third-party access (password managers, backup tools, AV on-access scan)
  before tuning toward the hunt and analyst tiers.
references:
  - https://attack.mitre.org/techniques/T1555/003/
  - https://attack.mitre.org/techniques/T1539/
  - https://www.infostealers.com/article/2026-infostealer-trends-im-monitoring-at-hudson-rock/
  - https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion/
  - https://blog.sekoia.io/lummac2-stealer-an-in-depth-analysis/
author: "@iimp0ster"
date: 2026/03/08
tags:
  - attack.credential_access
  - attack.t1555.003
  - attack.collection
  - attack.t1005
  - detection.maturity.research
logsource:
  category: file_event
  product: windows
detection:
  selection_browser_credential_paths:
    TargetFilename|contains:
      # Chrome credential databases
      - '\Google\Chrome\User Data\Default\Login Data'
      - '\Google\Chrome\User Data\Default\Cookies'
      - '\Google\Chrome\User Data\Local State'
      # Edge credential databases
      - '\Microsoft\Edge\User Data\Default\Login Data'
      - '\Microsoft\Edge\User Data\Default\Cookies'
      - '\Microsoft\Edge\User Data\Local State'
      # Brave credential databases
      - '\BraveSoftware\Brave-Browser\User Data\Default\Login Data'
      - '\BraveSoftware\Brave-Browser\User Data\Default\Cookies'
      # Firefox credential databases
      - '\Mozilla\Firefox\Profiles\'
      # Opera credential databases
      - '\Opera Software\Opera Stable\Login Data'
      - '\Opera Software\Opera Stable\Cookies'
      # Chromium (generic)
      - '\Chromium\User Data\Default\Login Data'
  filter_legitimate_browsers:
    Image|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\brave.exe'
      - '\firefox.exe'
      - '\opera.exe'
      - '\vivaldi.exe'
      - '\chromium.exe'
      - '\iexplore.exe'
      # Browser update/crash handler processes
      - '\chrome_crashpad_handler.exe'
      - '\crashpad_handler.exe'
      - '\elevation_service.exe'
      - '\GoogleUpdate.exe'
      - '\MicrosoftEdgeUpdate.exe'
  filter_system_paths:
    Image|startswith:
      - 'C:\Windows\System32\'
      - 'C:\Windows\SysWOW64\'
      - 'C:\Program Files\Windows Defender\'
  condition: selection_browser_credential_paths and not (filter_legitimate_browsers or filter_system_paths)
falsepositives:
  - Password managers (1Password, Bitwarden, Dashlane, KeePass, LastPass) accessing browser databases for import/sync
  - Backup software (Veeam, Acronis, Windows Backup) performing file-level backup of AppData
  - Antivirus on-access scanning of AppData files
  - Browser sync utilities and profile migration tools
  - IT asset management tools inventorying installed software and profiles
  - Privacy cleaners (CCleaner, BleachBit) clearing browser history/cookies
level: informational

Goal: Non-browser process reads browser credential database AND makes a DPAPI call

Log Sources

• Sysmon Event ID 10 (Process Access to browser files)
• Windows Security Event ID 4663 (File Access)
• Sysmon Event ID 8 (CreateRemoteThread — for injection variants)
• Windows API monitoring: CryptUnprotectData calls from non-browser processes
• EDR behavioral telemetry

FP Rate: Low-Medium

Use Case: Active threat hunting for infostealer activity; correlates file access with decryption API call to distinguish intentional credential harvesting from incidental file access by legitimate tools

Detection Logic

File Access to browser credential path:
  AccessingProcess: NOT browser / NOT known password manager / NOT backup tool
WITHIN 60 seconds:
  API Call: CryptUnprotectData() OR NCryptUnprotectSecret()
  CallingProcess: same non-browser process
OR:
  Process Access (EID 10):
    TargetProcess: chrome.exe OR msedge.exe
    SourceProcess: NOT known trusted process
    AccessRights: includes PROCESS_VM_READ (0x0010)
    (injection-based App-Bound bypass signal)

Sigma Rule — Hunt Level

View on GitHub Download

title: Infostealer — Non-Browser Process Accesses Browser Credential DB from Suspicious Parent or Path
id: 790a46d5-2643-4afe-9718-18742e7eecd7
status: experimental
description: >
  Detects a non-browser process accessing browser credential database files (Chrome Login Data,
  Cookies, Local State; Firefox logins.json or key4.db) where the accessing process originates
  from a suspicious execution context — specifically: spawned by a script interpreter
  (PowerShell, wscript, cscript, mshta), executing from a writable user-controlled path
  (TEMP, Downloads, AppData\Roaming), or loaded as an unsigned binary. This intermediate
  tier narrows the broad research baseline by requiring a suspicious parent or process
  origin, dramatically reducing false positives from legitimate password managers while
  retaining coverage across all major infostealer families.
  ClickFix delivery (517% surge in 2025) spawns PowerShell or mshta.exe which executes
  the infostealer — this rule captures that delivery context combined with the invariant
  credential file access. The Chrome DevTools Protocol bypass (EDDIESTEALER) appears as
  Chrome spawned with --remote-debugging-port by an unexpected parent process.
  Also detects nss3.dll (Firefox NSS3 decryption library) loaded by any non-Mozilla
  process — the Firefox equivalent of DPAPI credential decryption.
references:
  - https://attack.mitre.org/techniques/T1555/003/
  - https://attack.mitre.org/techniques/T1539/
  - https://attack.mitre.org/techniques/T1059.001/
  - https://www.infostealers.com/article/2026-infostealer-trends-im-monitoring-at-hudson-rock/
  - https://blog.sekoia.io/lummac2-stealer-an-in-depth-analysis/
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
  - https://security.googleblog.com/2024/09/improving-security-of-chrome-cookies.html
author: "@iimp0ster"
date: 2026/03/08
tags:
  - attack.credential_access
  - attack.t1555.003
  - attack.t1539
  - attack.execution
  - attack.t1059.001
  - detection.maturity.hunt
logsource:
  category: file_event
  product: windows
detection:
  # Selection A: Browser credential DB access by process with suspicious parent (ClickFix chain)
  selection_credential_path:
    TargetFilename|contains:
      - '\Google\Chrome\User Data\Default\Login Data'
      - '\Google\Chrome\User Data\Default\Cookies'
      - '\Google\Chrome\User Data\Local State'
      - '\Microsoft\Edge\User Data\Default\Login Data'
      - '\Microsoft\Edge\User Data\Default\Cookies'
      - '\BraveSoftware\Brave-Browser\User Data\Default\Login Data'
      - '\Mozilla\Firefox\Profiles\'
      - '\Opera Software\Opera Stable\Login Data'

  selection_suspicious_parent:
    ParentImage|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\wscript.exe'
      - '\cscript.exe'
      - '\mshta.exe'
      - '\wmic.exe'
      - '\rundll32.exe'
      - '\regsvr32.exe'
      - '\cmd.exe'
      - '\curl.exe'
      - '\certutil.exe'

  selection_suspicious_path:
    Image|contains:
      - '\AppData\Local\Temp\'
      - '\AppData\Roaming\'
      - '\Downloads\'
      - '\Desktop\'
      - '\Public\'
      - '\ProgramData\'
    Image|endswith:
      - '.exe'

  filter_legitimate_browsers:
    Image|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\brave.exe'
      - '\firefox.exe'
      - '\opera.exe'
      - '\vivaldi.exe'
      - '\chromium.exe'
      - '\GoogleUpdate.exe'
      - '\MicrosoftEdgeUpdate.exe'
      - '\elevation_service.exe'

  # Selection B: Chrome spawned with debug port by non-Chrome parent (CDP bypass — EDDIESTEALER)
  selection_cdp_bypass:
    Image|endswith: '\chrome.exe'
    CommandLine|contains: '--remote-debugging-port'
    ParentImage|endswith:
      - '.exe'
    ParentImage|not|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\explorer.exe'
      - '\svchost.exe'

  # Selection C: nss3.dll loaded by non-Mozilla process (Firefox credential decryption)
  selection_nss3_non_firefox:
    ImageLoaded|endswith: '\nss3.dll'
    Image|endswith:
      - '.exe'
    Image|not|endswith:
      - '\firefox.exe'
      - '\thunderbird.exe'
      - '\seamonkey.exe'
      - '\waterfox.exe'
      - '\librewolf.exe'
      - '\palemoon.exe'

  condition: >
    (selection_credential_path and (selection_suspicious_parent or selection_suspicious_path)
    and not filter_legitimate_browsers)
    or selection_cdp_bypass
    or selection_nss3_non_firefox
falsepositives:
  - Password managers installed in non-standard paths (unlikely for enterprise software)
  - Developer tools or automation scripts legitimately testing browser automation
  - EDR products loading nss3.dll for Firefox credential inspection during on-access scan
  - Browser migration or import tools spawned from cmd.exe by IT staff
  - Software deployment scripts (SCCM/Intune) triggering browser profile operations during setup
level: medium

Goal: Non-browser process accesses browser credential database AND makes outbound network connection — complete infostealer execution chain with C2 exfiltration signal

Log Sources

• Sysmon Event ID 10 / 11 (File Access)
• Sysmon Event ID 3 (Network Connection)
• Windows Security Event ID 4663 + 5156 (File Access + Windows Filtering Platform)
• EDR network telemetry
• DNS logs (for C2 domain resolution)

FP Rate: Low

Use Case: SOC alerting; immediate IR escalation; the file-access + outbound-network correlation represents the full "harvest and exfiltrate" chain

Detection Logic

File Access (EID 4663 or Sysmon EID 10/11):
  TargetPath: browser credential database (Login Data OR Cookies OR logins.json OR key4.db)
  AccessingProcess: NOT (browser process OR known password manager)
AND within 300 seconds:
  Network Connection (Sysmon EID 3):
    SourceProcess: same non-browser process
    DestinationIP: NOT RFC1918 (not internal)
    DestinationPort: 80 OR 443 OR 8080 OR unusual port
STANDALONE HIGH-CONFIDENCE SIGNAL:
  Process accesses Login Data AND Local State in same session
  (Local State contains App-Bound Encryption key material;
  combined access is a strong infostealer indicator)

Sigma Rule — Analyst Level

View on GitHub Download

title: Infostealer — Combined Login Data and Local State Access by Non-Browser Process (High Confidence)
id: b8e1369a-dcdd-413a-84a0-b7a953b8ff09
status: experimental
description: >
  High-fidelity detection for the complete Chromium infostealer credential harvest chain:
  a non-browser process accesses BOTH Chrome Login Data (encrypted credential SQLite DB)
  AND Local State (contains the App-Bound Encryption master key) within a single session.
  This combined access pattern is a near-definitive infostealer indicator because:
  (1) Login Data alone can be accessed by backup tools and AV scanners;
  (2) Local State alone is accessed by the browser itself for configuration;
  (3) combined access to BOTH by the same non-browser process has no legitimate use case
      outside infostealer credential decryption.
  This pattern is consistent across all Chromium-targeting stealer families — LummaC2,
  RedLine, Raccoon v2, Stealc, Vidar 2.0, Medusa, EDDIESTEALER — and across all three
  Chrome App-Bound Encryption bypass techniques (COM elevation, Chrome DevTools Protocol,
  and in-process memory injection). The file paths are dictated by the browser and cannot
  be changed by the attacker.
  A secondary high-confidence variant detects GoogleChromeElevationService being accessed
  via COM by a non-updater process — the first App-Bound Encryption bypass documented
  September 12, 2024, 45 days after Google's encryption was introduced.
  Treat every firing of this rule as a Tier 1 incident pending immediate triage.
references:
  - https://attack.mitre.org/techniques/T1555/003/
  - https://attack.mitre.org/techniques/T1539/
  - https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html
  - https://security.googleblog.com/2024/09/improving-security-of-chrome-cookies.html
  - https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion/
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
  - https://blog.sekoia.io/lummac2-stealer-an-in-depth-analysis/
author: "@iimp0ster"
date: 2026/03/08
tags:
  - attack.credential_access
  - attack.t1555.003
  - attack.t1539
  - attack.collection
  - attack.t1005
  - detection.maturity.analyst
logsource:
  category: file_event
  product: windows
detection:
  # NOTE: This rule requires temporal correlation across two file events from the same process.
  # In Sigma, this is expressed as a grouped detection requiring both TargetFilename patterns
  # to appear from the same Image within a session window. SIEM-specific correlation is
  # required for full implementation — see the KQL and SPL queries in the analyst notes below.
  # The single-event approximation (either Login Data OR Local State by non-browser) is
  # captured as selection_combined for platforms that can apply process-grouped detection.

  # Selection A: Access to Login Data (encrypted credential SQLite database)
  selection_login_data:
    TargetFilename|contains:
      - '\Google\Chrome\User Data\Default\Login Data'
      - '\Microsoft\Edge\User Data\Default\Login Data'
      - '\BraveSoftware\Brave-Browser\User Data\Default\Login Data'
      - '\Opera Software\Opera Stable\Login Data'
      - '\Chromium\User Data\Default\Login Data'

  # Selection B: Access to Local State (App-Bound Encryption master key file)
  selection_local_state:
    TargetFilename|contains:
      - '\Google\Chrome\User Data\Local State'
      - '\Microsoft\Edge\User Data\Local State'
      - '\BraveSoftware\Brave-Browser\User Data\Local State'

  # Selection C: COM access to GoogleChromeElevationService by non-updater process
  # (App-Bound Encryption bypass via IElevator::DecryptData — Sept 2024 bypass)
  selection_abe_com_bypass:
    EventID: 4688  # Process creation as COM host
    CommandLine|contains:
      - 'GoogleChromeElevationService'
    CommandLine|not|contains:
      - 'GoogleUpdate'
      - 'update'
      - 'install'

  # Selection D: Cross-process memory access to chrome.exe (memory injection bypass — Vidar 2.0)
  selection_chrome_injection:
    EventID: 10  # Sysmon ProcessAccess
    TargetImage|endswith: '\chrome.exe'
    GrantedAccess|contains:
      - '0x1010'   # PROCESS_VM_READ | PROCESS_QUERY_INFORMATION
      - '0x1438'   # PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION
      - '0x143a'
    SourceImage|not|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\MsMpEng.exe'
      - '\SentinelAgent.exe'
      - '\CSFalconService.exe'

  filter_legitimate_browsers:
    Image|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\brave.exe'
      - '\firefox.exe'
      - '\opera.exe'
      - '\vivaldi.exe'
      - '\chromium.exe'
      - '\GoogleUpdate.exe'
      - '\MicrosoftEdgeUpdate.exe'
      - '\elevation_service.exe'

  filter_system_processes:
    Image|startswith:
      - 'C:\Windows\System32\'
      - 'C:\Windows\SysWOW64\'
      - 'C:\Program Files\Windows Defender\'

  condition: >
    (selection_login_data and not (filter_legitimate_browsers or filter_system_processes))
    or (selection_local_state and not (filter_legitimate_browsers or filter_system_processes))
    or selection_abe_com_bypass
    or selection_chrome_injection
falsepositives:
  - Enterprise password manager products (1Password, Bitwarden for Teams) — these should
    appear in the research baseline allowlist before this rule is deployed
  - Endpoint backup solutions performing AppData backup (Veeam, Acronis) — exclude by
    known backup agent path
  - EDR products performing behavioral analysis on browser credential files — verify by
    confirming the accessing process is signed by the EDR vendor and running from Program Files
  - Chrome's own elevation service (elevation_service.exe) accessing Local State — filtered
    above; if filtering fails, verify Image path is Google's installation directory
level: high

Early Detection Layers

Detect before the user pastes or executes — earlier in the kill chain than the Sysmon-based rules above, using different data sources.

Evolution Timeline (10 events — click to expand)

Techniques and tooling evolve; the underlying detection chokepoint does not.

2026-Q1

Storm-2561 fake VPN client credential theft campaign identified

Change: Shifts SEO poisoning lure from consumer software to enterprise VPN clients (Pulse Secure, Fortinet, Ivanti, Cisco), targeting corporate credentials. Uses GitHub releases for payload hosting, MSI installer with DLL side-loading, and a legitimate (now-revoked) code-signing certificate. Trojanized binaries masquerade as legitimate VPN installers to harvest VPN credentials in addition to standard browser credentials.

Detection impact: Existing browser credential theft detections still apply for the credential harvesting phase. Signed MSI delivery via GitHub may evade download reputation checks; enterprise VPN-themed lures may bypass rules tuned for consumer cracked-software delivery. Monitor for unsigned or anomalous VPN client binaries and unexpected credential access after VPN installer execution.

2026-Q1

OtterCookie obfuscated variant and VS Code task abuse observed by Microsoft Defender Experts

Change: Shifted from direct NPM package execution to abusing VS Code workspace trust and task.json auto-execution; added heavy string obfuscation with encoded index lookups and shuffled arrays to evade static analysis and signature detection

Detection impact: Signature-based detections for earlier OtterCookie variants are ineffective against obfuscated version; VS Code task execution is a new execution vector that may bypass traditional script-monitoring rules

2025-Q2

LummaC2 disrupted (May 2025); 1.8 billion credentials stolen in 2025

Change: FBI/Europol joint operation disrupts LummaC2 infrastructure; domains seized, C2 servers taken offline. 1.7 million unique LummaC2 logs were already in circulation. Market immediately begins reconstituting — historical precedent (Raccoon v1 → v2, RedLine → successors) indicates 60-90 day reconstitution timeline.

Detection impact: No change to core detection pattern.

2025-Q1

ByBit heist ($1.4B) — North Korean APT uses infostealer-to-APT pipeline

Change: February 2025: Lazarus Group / TraderTraitor executes $1.4B ByBit cryptocurrency heist using credentials harvested via infostealers from contractor/employee machines. Demonstrates the "infostealer-to-APT pipeline" — commodity stealer infections enabling nation-state operations. Hudson Rock (February 2026) identifies this as a primary 2026 trend: sophisticated APTs systematically purchasing or harvesting infostealer logs.

Detection impact: Motivates enterprise adoption of continuous dark web credential monitoring. Infostealer detection elevated from IT security to executive risk concern. "Victim-to-vector loop" identified: infected computers of IT administrators or employees with access to security tools create cascading compromise potential.

2024-Q4

RedLine and Raccoon disrupted (Operation Magnus); LummaC2 reaches 51% market share

Change: October 2024: Europol Operation Magnus disrupts RedLine and META Stealer infrastructure; arrests in multiple countries. Raccoon Stealer administrator pleads guilty. Market consolidates around LummaC2 and Stealc. Enterprise credential presence in infostealers reaches 14% of infections (up from 6% in early 2024) — demonstrating shift toward higher-value targeting.

Detection impact: Law enforcement disruption has limited sustained impact — new variants emerge within weeks of each takedown. File-based and hash-based IOC sharing becomes less effective as market fragments. Behavioral detection of the invariant (file access + DPAPI call) remains the only durable detection approach.

2024-Q3

Chrome App-Bound Encryption (July 30) — bypassed in 45 days (Sept 12)

Change: Google introduces App-Bound Encryption in Chrome 127 (July 30, 2024) — encrypts cookie/credential database with a key tied to the Chrome application identity, preventing decryption by other processes using standard DPAPI. Multiple stealers immediately begin research. First bypass via COM elevation to GoogleChromeElevationService documented September 12, 2024. CDP-based bypass (EDDIESTEALER) and memory injection (Vidar 2.0) follow within months.

Detection impact: App-Bound Encryption forces stealers to generate new observable behaviors: COM elevation calls to GoogleChromeElevationService, Chrome debug mode activation, or injection into chrome.exe — all of which create additional detection opportunities. DPAPI call still occurs in all bypass variants; the invariant is preserved.

2024-Q2

Snowflake breach — infostealer credentials enable access to 160+ organizations

Change: UNC5537 uses credentials harvested by VIDAR, RISEPRO, REDLINE, RACCOON, LUMMA, and METASTEALER from contractor machines to access Snowflake cloud environments. No MFA, no network allowlisting — credentials alone were sufficient. Victims include Ticketmaster (560M records), AT&T (109M call records), Advance Auto Parts, LendingTree, and 155+ others. Demonstrates infostealers as an enterprise security problem, not just consumer credential theft.

Detection impact: Enterprise focus on "impossible travel" detection for cloud console access. Credential monitoring services gain enterprise adoption. MFA enforcement becomes urgent response; behavioral anomaly detection for cloud access gains priority.

2022-2023

Raccoon v2 and Stealc launch; LummaC2 enters the market

Change: Raccoon v2 (June 2022) demonstrates rapid reconstitution after law enforcement action. Stealc (January 2023) introduces modular architecture. LummaC2 begins rapid market share growth. Multi-stage loaders (GuLoader, PrivateLoader) become the primary delivery mechanism, complicating attribution. macOS infostealers emerge with AMOS (April 2023), extending the threat to non-Windows environments.

Detection impact: Loader-based delivery complicates process lineage detection (parent may be legitimate software). Cross-platform detection required as macOS stealers adopt same file-access patterns. Process injection techniques begin emerging to complicate parent-child attribution.

2020-2022

RedLine dominates; stealer market fragments into dozens of MaaS offerings

Change: RedLine Stealer launches January 2020 and rapidly dominates with low price point ($100-200/month) and comprehensive browser coverage. Market fragments: Vidar, Raccoon, Mars, META, Typhon, and 20+ competitors emerge. NSA/CISA begin tracking infostealers as a distinct threat category. Enterprise credential theft accelerates; breach brokers emerge as a distinct role in the cybercrime economy.

Detection impact: File hash-based detection fails as variants proliferate weekly. Behavioral detection of non-browser processes opening browser credential files gains adoption in EDR platforms. DPAPI call monitoring (CryptUnprotectData) emerges as a secondary signal.

2018-2020

Vidar, AZORult, and Raccoon v1 establish the modern infostealer template

Change: Stealer-as-a-Service model emerges; credential harvesting from browser SQLite databases (Chrome Login Data, Firefox logins.json) becomes standardized. DPAPI decryption via CryptUnprotectData() is the universal Chromium decryption method. Browser-stored credential theft becomes a commodity capability available to non-technical attackers.

Detection impact: File access monitoring for browser credential databases (Login Data, Cookies) becomes possible but generates high volume from legitimate browser activity. Process-based filtering (non-browser processes accessing browser files) emerges as the primary signal.

Raw Log Samples (5 samples — click to expand)

Real-world log events produced by this technique and which sigma rules they trigger.

Sysmon EID 10

Research Hunt Analyst

Non-browser process opens a handle to the Chrome Login Data credential store

EventID: 10 (ProcessAccess)
UtcTime: 2024-09-14 03:17:42.381
SourceProcessGUID: {a1b2c3d4-1234-5678-abcd-ef0123456789}
SourceProcessId: 4832
SourceImage: C:\Users\jsmith\AppData\Local\Temp\ChromeUpdate.exe
TargetProcessGUID: {00000000-0000-0000-0000-000000000000}
TargetProcessId: 0
TargetImage: C:\Users\jsmith\AppData\Local\Google\Chrome\User Data\Default\Login Data
GrantedAccess: 0x1
CallTrace: C:\Windows\SYSTEM32\ntdll.dll+...

Windows Event Log EID 4663

Research Analyst

Audit file access — non-browser process reads the Login Data credential database

EventID: 4663 (An attempt was made to access an object)
TimeCreated: 2024-09-14T03:17:42.5183920Z
Channel: Security

SubjectUserSid: S-1-5-21-3623811015-3361044348-30300820-1013
SubjectUserName: jsmith
SubjectDomainName: CORP
SubjectLogonId: 0x7169cb

ObjectServer: Security
ObjectType: File
ObjectName: C:\Users\jsmith\AppData\Local\Google\Chrome\User Data\Default\Login Data
HandleId: 0x1d4

ProcessId: 0x12e0
ProcessName: C:\Users\jsmith\AppData\Local\Temp\ChromeUpdate.exe

AccessList: %%4416 (ReadData / ListDirectory)
AccessMask: 0x1

Sysmon EID 11

Research Analyst

Stealer copies Login Data to TEMP directory to avoid Chrome file lock

EventID: 11 (FileCreate)
UtcTime: 2024-09-14 03:17:42.612
ProcessGuid: {a1b2c3d4-1234-5678-abcd-ef0123456789}
ProcessId: 4832
Image: C:\Users\jsmith\AppData\Local\Temp\ChromeUpdate.exe
TargetFilename: C:\Users\jsmith\AppData\Local\Temp\~tmp_creds_8a3f.db
CreationUtcTime: 2024-09-14 03:17:42.612

Sysmon EID 8

Hunt

CryptUnprotectData API call observed via Sysmon API monitoring — DPAPI decryption of harvested credentials

EventID: 8 (CreateRemoteThread) — or via API monitoring:
UtcTime: 2024-09-14 03:17:43.108
ProcessGuid: {a1b2c3d4-1234-5678-abcd-ef0123456789}
ProcessId: 4832
Image: C:\Users\jsmith\AppData\Local\Temp\ChromeUpdate.exe
API: CryptUnprotectData
Module: C:\Windows\System32\crypt32.dll
# Note: CryptUnprotectData is called seconds after Login Data file access.
# Temporal correlation (EID 10 + CryptUnprotectData within 60s) is the Hunt rule signal.

Sysmon EID 3

Analyst

Outbound C2 exfiltration connection immediately following credential decryption

EventID: 3 (NetworkConnect)
UtcTime: 2024-09-14 03:17:44.883
ProcessGuid: {a1b2c3d4-1234-5678-abcd-ef0123456789}
ProcessId: 4832
Image: C:\Users\jsmith\AppData\Local\Temp\ChromeUpdate.exe
User: CORP\jsmith
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 10.10.1.45
SourceHostname: CORP-WS-042
SourcePort: 51342
DestinationIsIpv6: false
DestinationIp: 185.220.101.47
DestinationHostname: -
DestinationPort: 443
# Non-browser process making HTTPS connection within seconds of credential DB access
# is the Analyst rule's final signal — high confidence, low FP.

Emulation Script (click to expand)

⚠ Lab use only. Run in an isolated lab VM only. Creates temporary files and outbound network activity.

powershell ATT&CK: T1555.003 Simulates infostealer browser credential access patterns for detection validation

POWERSHELL

View on GitHub Download

#Requires -Version 5.1
# MITRE ATT&CK: T1555.003 — Credentials from Web Browsers
# Simulates non-browser process access to Chrome Login Data, DPAPI decryption call, and outbound connection.

[CmdletBinding()]
param(
    [switch]$SkipNetwork,
    [switch]$CleanupOnly
)

Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop'

$ChromeLoginDataPath = Join-Path $env:LOCALAPPDATA `
    'Google\Chrome\User Data\Default\Login Data'
$TempCopy   = Join-Path $env:TEMP "~cred_emu_$(Get-Random).db"
$C2Endpoint = 'https://example.com'   # benign destination — change to your lab listener

function Write-Step ([string]$Message) {
    Write-Host "[*] $Message" -ForegroundColor Cyan
}
function Write-Ok ([string]$Message) {
    Write-Host "[+] $Message" -ForegroundColor Green
}
function Write-Warn ([string]$Message) {
    Write-Host "[!] $Message" -ForegroundColor Yellow
}

function Remove-Artefacts {
    if (Test-Path $TempCopy) {
        Remove-Item -Path $TempCopy -Force -ErrorAction SilentlyContinue
        Write-Ok "Removed temp file: $TempCopy"
    }
}

if ($CleanupOnly) {
    Remove-Artefacts
    exit 0
}

Write-Host ""
Write-Host "=== Browser Credential Theft Emulation ===" -ForegroundColor Magenta
Write-Host "    T1555.003 | Detection Chokepoints Project" -ForegroundColor DarkGray
Write-Host ""

if (-not (Test-Path $ChromeLoginDataPath)) {
    Write-Warn "Chrome Login Data not found at: $ChromeLoginDataPath"
    Write-Warn "Chrome must be installed and have been launched at least once."
    Write-Warn "Falling back to synthetic file for file-access telemetry only."
    $ChromeLoginDataPath = $null
}

Write-Step "Step 1/3 — Opening browser credential store (file access telemetry)"
Write-Verbose "  Target: $ChromeLoginDataPath"

if ($ChromeLoginDataPath) {
    try {
        # Open the file read-only to trigger file-access audit events.
        # Chrome locks Login Data while running; we copy first (also an Analyst indicator).
        $fs = [System.IO.File]::Open(
            $ChromeLoginDataPath,
            [System.IO.FileMode]::Open,
            [System.IO.FileAccess]::Read,
            [System.IO.FileShare]::ReadWrite
        )
        $buf = New-Object byte[] 4
        [void]$fs.Read($buf, 0, 4)   # read SQLite magic bytes only — no credential parsing
        $fs.Close()
        Write-Ok "File access completed (read 4 bytes — SQLite header only, no credentials parsed)"
    }
    catch [System.IO.IOException] {
        # Chrome is running and has an exclusive lock — copy approach instead
        Write-Warn "Chrome is running (file locked). Using file copy to trigger EID 11."
        Copy-Item -Path $ChromeLoginDataPath -Destination $TempCopy -ErrorAction SilentlyContinue
        Write-Ok "Copied Login Data to: $TempCopy"
    }
} else {
    # Synthetic fallback: create a dummy file in TEMP to generate EID 11
    [System.IO.File]::WriteAllText($TempCopy, "SQLite format 3`0")
    Write-Ok "Created synthetic credential file at: $TempCopy"
}

Start-Sleep -Milliseconds 500

Write-Step "Step 2/3 — Calling CryptUnprotectData (DPAPI decryption telemetry)"

Add-Type -TypeDefinition @'
using System;
using System.Runtime.InteropServices;
using System.Text;

public class Dpapi {
    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
    public struct DATA_BLOB {
        public int cbData;
        public IntPtr pbData;
    }

    [DllImport("crypt32.dll", SetLastError = true, CharSet = CharSet.Auto)]
    public static extern bool CryptUnprotectData(
        ref DATA_BLOB pDataIn,
        StringBuilder szDataDescr,
        IntPtr pOptionalEntropy,
        IntPtr pvReserved,
        IntPtr pPromptStruct,
        int dwFlags,
        ref DATA_BLOB pDataOut);

    public static bool TestDpapi() {
        // Encrypt a benign string, then decrypt — exercises the CryptUnprotectData API path
        byte[] plain = Encoding.UTF8.GetBytes("detection-chokepoints-emulation-test");
        byte[] encrypted = System.Security.Cryptography.ProtectedData.Protect(
            plain, null, System.Security.Cryptography.DataProtectionScope.CurrentUser);

        DATA_BLOB inBlob  = new DATA_BLOB();
        DATA_BLOB outBlob = new DATA_BLOB();
        inBlob.cbData = encrypted.Length;
        inBlob.pbData = Marshal.AllocHGlobal(encrypted.Length);
        Marshal.Copy(encrypted, 0, inBlob.pbData, encrypted.Length);

        bool result = CryptUnprotectData(ref inBlob, null, IntPtr.Zero,
                                          IntPtr.Zero, IntPtr.Zero, 0, ref outBlob);
        Marshal.FreeHGlobal(inBlob.pbData);
        if (result) Marshal.FreeHGlobal(outBlob.pbData);
        return result;
    }
}
'@ -ReferencedAssemblies 'System.Security'

try {
    $result = [Dpapi]::TestDpapi()
    if ($result) {
        Write-Ok "CryptUnprotectData called successfully (benign test data decrypted)"
    } else {
        Write-Warn "CryptUnprotectData returned false — API monitoring telemetry may still fire"
    }
} catch {
    Write-Warn "DPAPI call skipped: $_"
}

Start-Sleep -Milliseconds 500

if (-not $SkipNetwork) {
    Write-Step "Step 3/3 — Making outbound connection (network exfiltration telemetry)"
    Write-Verbose "  Destination: $C2Endpoint"

    try {
        $response = Invoke-WebRequest -Uri $C2Endpoint -Method HEAD `
            -TimeoutSec 10 -UseBasicParsing -ErrorAction Stop
        Write-Ok "Network connection completed (HTTP $($response.StatusCode) from $C2Endpoint)"
    } catch {
        Write-Warn "Network request failed (connection telemetry may still have been generated): $_"
    }
} else {
    Write-Warn "Step 3 skipped (-SkipNetwork flag set)"
}

Write-Host ""
Write-Step "Cleaning up artefacts"
Remove-Artefacts

Write-Host ""
Write-Host "=== Emulation Complete ===" -ForegroundColor Magenta
Write-Host ""
Write-Host "Expected detections:" -ForegroundColor White
Write-Host "  [Research]  Sysmon EID 10/11 or WEL EID 4663 — non-browser file access" -ForegroundColor DarkCyan
Write-Host "  [Hunt]      EID 10 + CryptUnprotectData within 60 seconds"               -ForegroundColor DarkYellow
Write-Host "  [Analyst]   EID 10/11 + Sysmon EID 3 (outbound connection)"              -ForegroundColor DarkGreen
Write-Host ""
Write-Host "If no alerts fired, verify:" -ForegroundColor DarkGray
Write-Host "  - Sysmon is running with a config that captures EID 3/8/10/11"
Write-Host "  - Object Access auditing is enabled (auditpol) for EID 4663"
Write-Host "  - Sigma rules are deployed and log sources are ingested"
Write-Host ""

OSINT Sources

Hudson Rock Cavalier Filter by credential type: browser; filter by organization domain

Enterprise threat intelligence platform tracking 30M+ infostealer-infected computers. Allows organizations to check if their employee/contractor credentials appear in stealer logs. Directly actionable: if a corporate email appears in stealer logs, that account should be treated as compromised regardless of whether a breach has been detected.

Have I Been Pwned (Stealer Logs) Search by email domain or corporate email address

Free service that includes major stealer log dumps in its breach database. Stealer log entries are tagged separately from traditional data breaches. Domain notification allows organizations to monitor all corporate email addresses continuously.

VirusTotal Intelligence behavior_files:"Login Data" behavior_files:"Local State" positives:0

Requires VT Intelligence subscription. Finds samples that access both Login Data and Local State files (combined access is a strong infostealer behavioral indicator) while currently evading AV detection — the most dangerous variants in active circulation.

Shodan http.html:"stealer" http.html:"logs" http.html:"panel"

Finds exposed infostealer C2 panels — often left accessible due to poor OpSec by stealer operators. Log panels with "logs" and "panel" in the HTML indicate active infrastructure. Useful for tracking active campaign infrastructure and reporting to law enforcement or domain registrars.

Intel Resources

• Hudson Rock — 2026 Infostealer Trends I'm Monitoring — February 2026 analysis by Alon Gal (CTO, Hudson Rock); Hudson Rock tracks 30M+ infected computers. Documents 2026 trends including infostealer-to-APT pipeline, victim-to-vector loop, malicious AI skill poisoning via OpenClaw, and the ByBit heist connection to infostealer credential harvesting.
• MITRE ATT&CK — T1555.003 Credentials from Password Stores: Credentials from Web Browsers — Primary technique definition covering browser credential database access methodology, with procedure examples for Chrome (Login Data + DPAPI), Firefox (logins.json + key4.db + NSS3), and cross-browser coverage. Includes procedure examples for LummaC2, RedLine, Raccoon, Vidar, AMOS, and 30+ other tracked families.
• Google Security Blog — Improving the security of Chrome cookies on Windows — Official Google announcement of App-Bound Encryption (July 30, 2024) in Chrome 127. Explains the technical mechanism: encryption key bound to Chrome's application identity via IElevator COM interface. Basis for understanding the three bypass techniques (COM elevation, CDP, memory injection) that emerged within 45 days.
• Mandiant / Google Cloud — UNC5537 Targets Snowflake Customer Instances for Data Theft — Technical analysis of the Snowflake breach (May-June 2024); documents UNC5537's use of VIDAR, RISEPRO, REDLINE, RACCOON, LUMMA, and METASTEALER-harvested credentials to access 160+ Snowflake environments. No CVE exploitation — credentials alone were sufficient. Defines infostealer credentials as a primary enterprise supply chain risk.
• MITRE ATT&CK — T1539 Steal Web Session Cookie — Secondary technique covering session cookie theft for MFA bypass. Directly related to infostealer cookie database access (Chrome Cookies file). Cookie theft enables account takeover without re-authentication even after password reset.

Related Chokepoints

ClickFix Techniques HIGH Remote Execution Tools (HackTools) HIGH