{
	"id": "1d409946-5bcf-4d97-a742-9a274f315822",
	"created_at": "2026-04-06T00:09:42.092765Z",
	"updated_at": "2026-04-10T03:21:07.243217Z",
	"deleted_at": null,
	"sha1_hash": "41371c29b66e1faa533f2c559a271a927909dbe0",
	"title": "Dissecting the Dark Web Supply Chain: Stealer Logs in Context",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 409578,
	"plain_text": "Dissecting the Dark Web Supply Chain: Stealer Logs in Context\r\nBy Flare\r\nPublished: 2023-06-06 · Archived: 2026-04-05 14:40:13 UTC\r\nStealer logs represent one of the primary threat vectors for modern companies. However, many security teams are\r\nstill focused on leaked credentials and remain unaware of the significant threat posed by devices infected with\r\ninfostealer malware.\r\nThis Flare explainer article will delve into the lifecycle of stealer malware and provide tips for detection and\r\nremediation.\r\nWhat is a Stealer Log? Several variants of infostealer malware exist, but the primary groups we often encounter\r\nare Redline, Raccoon, Vidar, and Titan. This malware infects victim computers and exports passwords saved\r\nwithin the browser, alongside host data such as OS version, IP address, clipboard data, browser history, saved\r\ncredit cards, and cryptocurrency wallet data.\r\nThe malware then sends this data back to the threat actor's command-and-control infrastructure. It is subsequently\r\nsold as individual listings on dedicated dark web marketplaces or distributed through specialized cybercrime\r\nTelegram channels.\r\nThe Stealer Malware Lifecycle - Malware as a Service Vendors\r\nThe cybercrime ecosystem's growth has seen an increasing tendency towards the commoditization of malware,\r\nand infostealer malware is no exception.\r\nhttps://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/\r\nPage 1 of 5\n\nMalware as a service vendors sell access to the primary infostealer variants on specialized Telegram channels for a\r\nfixed monthly price, typically ranging from $100 to $300, depending on the malware’s age; and with lifetime\r\nsubscriptions available.\r\nBuyers also gain access to a web portal linked to command-and-control infrastructure, which can be used to\r\ncollect logs from victims in a centralized location.\r\nDescription of stealer web panel features\r\nSource: Flare\r\nThe Stealer Malware Lifecycle - Distribution\r\nThreat actors who purchase stealer logs have the responsibility of distributing the malware to victims. This\r\ndistribution typically occurs through three principal vectors: cracked software downloads, illegitimate ads, and\r\nspear-phishing emails for targeted attacks against organizations.\r\nOnce the infostealer malware is downloaded onto a victim's computer, it automatically executes and attempts to\r\nestablish communication with the C2 infrastructure. Upon successful communication, credentials and host data are\r\nsent back to the threat actor.\r\nThe Stealer Malware Lifecycle - Reselling\r\nThe Vast majority stealer logs originate from home computers without access to corporate IT environments. In\r\nmany instances, threat actors utilize stealer logs to access VPN environments, streaming services, and other basic\r\nconsumer applications. However, logs that do provide access to corporate IT environments are highly prized.\r\nAt Flare we process more than 1 million stealer logs per week, and estimate that a minimum of 1% contain access\r\nto corporate IT environments. Stealer logs are typically distributed through one of four major channels:\r\nhttps://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/\r\nPage 2 of 5\n\nRussian Market Genesis Marketplace Public Telegram Rooms Private “VIP”\r\nTelegram Rooms\r\nUsing Flare’s SaaS cyber-intel platform, we found logs sold on the Russian and Genesis marketplaces come with a\r\nbasic list of saved credentials that were saved in the browser. Full information about the victim’s machine and the\r\npasswords are provided upon purchase.\r\nThreat actor promoting private info-stealer logs\r\nSource: Flare\r\nThese marketplaces are designed for threat actors who are “shopping” for specific credentials and credentials\r\noften vary in price dramatically based on the type of information being sold. For example the average price of an\r\ninfected device listed on Genesis market is $14.39 however with a healthcare domain listed the price jumps to\r\n$93.91 and access to banking services brings the price north of $110 per device.\r\nPrivate Log Channel Ad on Telegram\r\nLogs distributed through Telegram are wholly different, they typically appear in large zip files containing\r\nhundreds or thousands of individual logs. They are often distributed in public Telegram rooms, but a significant\r\nnumber are also shared in private VIP “paid access” Telegram channels.\r\nThese typically cost between $300-$900 per month and are limited to 10-15 users. This provides exclusivity to the\r\nthreat actors in the channel, allowing them to pick over and exploit the most valuable logs before they are likely\r\ngiven away on a public Telegram room later.\r\nRedline Stealer logs shared on Telegram\r\nSource: Flare\r\nLogs being given away for free in a public Telegram channel.\r\nhttps://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/\r\nPage 3 of 5\n\nThe Stealer Malware Lifecycle - Initial Access Brokers\r\nWe believe that many initial access brokers, who are active on dark web forums such as exploit.in and xss.is, sift\r\nthrough millions of stealer logs found in VIP Telegram channels and on the Russian and Genesis markets.\r\nTheir aim is to identify logs containing corporate access, which can then be used to establish and expand corporate\r\naccess. Buying logs that already have multiple sets of corporate credentials significantly simplifies the process of\r\ncompromising a company.\r\nSelling logs with corporate credentials\r\nSource: Flare\r\nIt allows the threat actor to focus on validating and expanding initial access rather than initially establishing it.\r\nOnce access has been validated, initial access brokers (IAB’s) auction off the established access for prices ranging\r\nfrom thousands to tens of thousands of dollars, depending on the victim organization and level of access\r\nestablished.\r\nA post from Exploit.in selling access to a corporate environment. Note that the threat actor lists notable\r\ninformation about the company affected in addition to the AV the victim is using. The bidding starts at $1,000 with\r\nincrements of an additional $1,000 and a “buy it now” price of $10,000.\r\nDetect \u0026 Remediate Stealer Logs with Flare\r\nFlare’s SaaS platform delivers high-value, tailored threat exposure management to organizations. Flare detects\r\nthreats across hundreds of dark web markets \u0026 forums, thousands of illicit Telegram channels \u0026 clear web\r\nsources of risk.\r\nOur SaaS platform integrates into your existing security program in 30-minutes with native integrations that\r\nenable you to build a threat led cybersecurity program. Request a product demo today to learn more.\r\nSponsored and written by Flare.\r\nhttps://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/\r\nPage 4 of 5\n\nSource: https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/\r\nhttps://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/"
	],
	"report_names": [
		"dissecting-the-dark-web-supply-chain-stealer-logs-in-context"
	],
	"threat_actors": [],
	"ts_created_at": 1775434182,
	"ts_updated_at": 1775791267,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/41371c29b66e1faa533f2c559a271a927909dbe0.pdf",
		"text": "https://archive.orkl.eu/41371c29b66e1faa533f2c559a271a927909dbe0.txt",
		"img": "https://archive.orkl.eu/41371c29b66e1faa533f2c559a271a927909dbe0.jpg"
	}
}