Danish Tariq
Director
Laburity
Speaker sessions
Zero to Owned: Mapping the Lifecycle of a Credential Stealer to Corporate Breach
Infostealer malware is built to collect and dump anything useful from a device. This includes saved browser credentials, autofill data, session cookies, API tokens, wallet addresses, and app-specific passwords. Once collected, these logs are uploaded to Telegram bots, marketplaces, or leak sites.The research walks through how these logs are typically structured and what credentials they contain. Examples include login details for GitHub, Slack, AWS, Gmail, Notion, Discord, Office 365, database dashboards, and internal dev tools. Logs often include SSH private keys, JWT tokens, and webhook URLs. In many cases, cookies allow attackers to access services without even needing passwords.By analyzing some incidents using OSINT methods, the research maps the lifecycle of credential stealers. It covers the path from infection, to log exposure, to potential misuse. The examples are based on public stealer log collections and show how much sensitive access data ends up in the open. + Working and defense from common infostealers like Raccoon, Redline, and LummaC2.
- 17:00
- Wed
- 03 Dec
Stage:
Briefings 1
Sessions Type:
Presentation