Estelle Ruellan

Infostealers are malware that collect sensitive data from infected devices and transmit it to Command-and-Control (C2) servers operated by cybercriminals. The resulting stealer logs, containing credentials and system information, fuel a lucrative underground market. But what if C2 operators also fell victim to their own skim : the biters bit. Our research reveals that C2 operators themselves sometimes become unwitting victims, exposing valuable intelligence about their operations. In this presentation, we will be turning the tables on the very actors behind infostealers. Through analysis of stealer logs, we uncover diverse profiles within the infostealer ecosystem. Most notably "NoObSec" - amateur operators with critically poor security practices who can be de-anonymized through their own logs, and "Skip Tracers' Nightmares" - sophisticated actors operating from dedicated virtual machines who maintain strict operational security. These contrasting profiles demonstrate the wide spectrum of expertise in the infostealer landscape, from those who inadvertently expose their identities to those who masterfully conceal their tracks while orchestrating complex campaigns. This presentation presents case studies including a malware distributor using cracked software for infection and a threat actor operating multiple malware families to create a complex cybercriminal ecosystem. These examples demonstrate how stealer logs serve as powerful investigative tools for understanding both cybercrime infrastructure and techniques shaping the infostealer landscape. Join us as we pull back the curtain on the cybercriminal backstage.