Defense Videos

All News Deals Social Blogs Videos Podcasts Digests

Defense Cybersecurity AI

SecTor 2025 | Hackers Dropping Mid-Heist Selfies

•May 23, 2026

Black Hat

Black Hat•May 23, 2026

Why It Matters

Turning visual malware artifacts into machine‑readable intelligence accelerates detection and disrupts cyber‑crime supply chains.

Key Takeaways

•Info‑stealer malware captures desktop screenshots to reveal infection context
•Two‑stage LLM pipeline extracts descriptions then identifies infection vectors
•First LLM layer struggles with browsing‑tab identification, requiring manual correction
•IOC checker filters dead URLs, handling file‑sharing platforms and YouTube links
•Automated pipeline processes millions of selfie screenshots for rapid threat intel

Summary

The SecTor 2025 session focused on a growing class of information‑stealer malware that not only exfiltrates credentials, wallets and system data, but also takes a screenshot of the victim’s desktop – a “mid‑heist selfie.” Researchers explained how these images provide a rare glimpse into the infection chain, revealing the cracked software, download dialogs and even the surrounding environment that traditional logs miss.

To turn millions of screenshots into actionable intelligence, the team built a two‑layer large‑language‑model (LLM) pipeline. The first layer generates a structured description of the scene, extracting URLs, file‑system views and any suspicious elements. The second layer consumes that description to pinpoint the infection vector and assign a thematic tag, outputting results in a standardized array.

During testing, the first LLM performed well on most fields but faltered on browsing‑tab identification, often confusing bookmarks for active tabs. The team mitigated this by pruning the problematic output before feeding it to the second layer. A downstream IOC‑checking module then validates URLs from file‑sharing sites and YouTube, discarding dead links and flagging password‑protected archives as live indicators.

The end‑to‑end system enables analysts to triage fifteen‑million selfie screenshots automatically, dramatically reducing manual effort and improving the timeliness of threat‑intel feeds. By converting visual artifacts into structured data, security operations can more quickly map campaigns, block active C2 channels, and anticipate future attacks.

Original Description

Information stealer malware has become one of the most prolific and damaging threats in today's cybercrime landscape, siphoning off everything from browser-stored credentials to session tokens and other system secrets. In 2024 alone, we witnessed more than 30 million stealer logs traded on underground markets. Yet buried within these logs is an underexplored goldmine: screenshots captured at the precise moment of infection. Think of it as a thief taking a selfie mid-heist, unexpected but convenient for us, right? Surprisingly, these crime scene snapshots have been largely overlooked until now.

Leveraging infostealer infection screenshots and Large Language Models (LLMs), we propose a new approach to identify infection vectors, extract indicators of compromise (IoCs) and track infostealer campaigns at scale. Our approach found several hundred potential IoCs in the form of URLs leading to the download of the malware-laden payload. By applying this method to "fresh" stealer logs, we can detect and mitigate infection vectors almost instantaneously, reducing further infections. Our analysis uncovered distribution strategies, lure themes and social engineering techniques used by threat actors in successful infection campaigns. We will break down three distinct campaigns to illustrate the tactics they use to deliver malware and deceive victims: cracked versions of popular software, ads pointing to popular software and free AI image generators.

This presentation, with its live demonstration, shows how LLMs can be harnessed to extract IoCs at scale while addressing the challenges and costs of implementation. Attendees will walk away with a deeper understanding of the modern infostealer ecosystem and will want to apply LLM to other illicit artifacts to extract actionable intelligence.

By:

Estelle Ruellan | Threat Intelligence Researcher, Flare

Olivier Bilodeau | Principal Security Researcher, Flare

https://blackhat.com/sector/2025/briefings/schedule/?#hackers-dropping-mid-heist-selfies-llm-identifies-information-stealer-infection-vector-and-extracts-iocs-48786

Comments

Want to join the conversation?

Loading comments...