Black Hat USA 2025 | Hackers Dropping Mid-Heist Selfies

The Black Hat USA 2025 talk focused on a novel AI‑driven approach to dissecting “mid‑heist selfies” – screenshots harvested by information‑stealer malware. These malware families exfiltrate credentials, crypto wallets, password managers and system details without needing admin rights, then package the data – including screenshots of the victim’s desktop – for resale on Telegram channels.

The presenters described a two‑stage large language model (LLM) pipeline. The first layer receives the raw screenshot and outputs a structured description covering scene content, file explorer entries, installer names and any suspicious links. The second layer consumes this description to pinpoint the infection vector and the campaign theme. Screenshots were categorized as web‑only, file‑system, or hybrid, and prompts were engineered to extract URLs, browser tabs, and anomalous elements.

Examples included a YouTube video promoting a cracked Fortnite client and a Mega link to an Office suite crack, both clearly visible via OCR. Performance testing on 1,000 screenshots showed 96% accuracy for scene description, 100% for file explorer and link extraction, 85% for suspicious‑element detection, but only 30% for browser‑tab identification, leading the team to drop that sub‑task entirely. An IOC‑checking module then filtered dead URLs using HTTP status codes and platform‑specific heuristics, ensuring only live indicators fed downstream threat‑intel workflows.

The pipeline demonstrates how automated LLM analysis can scale the extraction of actionable intelligence from millions of malicious screenshots, turning what were once noisy artifacts into curated indicators of compromise. By automating this process, defenders can rapidly identify emerging crack‑software campaigns, block live download links, and improve overall cyber‑threat visibility.