Hackers Dropping Mid-Heist Selfies: LLM Identifies Information Stealer Infection Vector and Extracts IoCs

Presented at DEF CON 33 (2025), Aug. 9, 2025, 1 p.m. (45 minutes).

Information stealer malware is one of the most prolific and damaging threats in today’s cybercrime landscape, siphoning off everything from browser-stored credentials to session tokens. In 2024 alone, we witnessed more than 30 million stealer logs traded on underground markets. Yet buried within these logs is a goldmine: screenshots captured at the precise moment of infection. Think of it as a thief taking a selfie mid-heist, unexpected but convenient for us, right? Surprisingly, these crime scene snapshots have been largely overlooked until now. Leveraging them with Large Language Models (LLMs), we propose a new approach to identify infection vectors, extract indicators of compromise (IoCs) and track infostealer campaigns at scale. In our analysis, we will break down three distinct campaigns to illustrate their tactics to deliver malware and deceive victims. With its live demonstration, this presentation shows how LLMs can be harnessed to extract IoCs at scale while addressing the challenges and costs of implementation. Attendees will walk away with a deeper understanding of the modern infostealer ecosystem and will want to apply LLM to any illicit artifacts to extract actionable intelligence.

Presenters:

• Estelle Ruellan
  Estelle is a Threat Intelligence Researcher at Flare. With a background in Mathematics and Criminology, Estelle lost her way into cybercrime and is now playing with lines of code to help computers make sense of the cyber threat landscape. She presented at conferences like ShmooCon 2025, Hack.lu 2024, eCrime APWG 2024 in Boston and the 23rd Annual European Society of Criminology Conference (EUROCRIM 2023) in Florence.
• Olivier Bilodeau
  Olivier Bilodeau, a principal researcher at Flare, brings 15+ years of cutting-edge infosec expertise in honeypot operations, binary reverse-engineering, and RDP interception. Passionate communicator, Olivier spoke at conferences like BlackHat, DEFCON, SecTor, Derbycon, and more. Invested in his community, he co-organizes MontréHack, is NorthSec’s President, and runs its Hacker Jeopardy.