Threat Research

Caught in the Net: Using Infostealer Logs to Unmask CSAM Consumers

RecordedFuture

Recorded Future Identity Intelligence analyzes infostealer logs to identify CSAM consumers and map activity across CSAM sources, finding thousands of credentials and multiple-source usages. The study demonstrates infostealer data can aid law enforcement in tracking CSAM activity on the dark web, with findings escalated to authorities. #Infostealer #CSAM #InsiktGroup #RecordedFuture #WorldChildhoodFoundation #ATII

Keypoints

  • Recorded Future’s Identity Intelligence uses infostealer logs to identify users with credentials to CSAM sources.
  • Found 3,324 unique credentials used to access known CSAM websites, enabling granular statistics on sources and users.
  • 4.2% of users had credentials for multiple CSAM sources, suggesting a higher likelihood of cross-source involvement.
  • Methodology combines known high-fidelity CSAM domains, OSINT, and the Recorded Future Intelligence Cloud to surface additional sources.
  • De-duplication was performed by comparing OS usernames and PC names to unify cases.
  • Three case studies illustrate how infostealer data can reveal individuals and digital artifacts (including cryptocurrency addresses) tied to CSAM activity.
  • Findings support law enforcement action and ongoing monitoring as infostealer log datasets evolve with MaaS ecosystems.

MITRE Techniques

  • [T1555.003] Credentials from Web Browsers – Infostealer collects credentials and browser cookies from browsers as part of its data theft. Quote: “…infostealer malware steals sensitive user information such as login credentials, cryptocurrency wallets, payment card data, OS information, browser cookies, screenshots, and autofill data.”
  • [T1082] System Information Discovery – Infostealer logs include OS information to aid in asset identification and profiling. Quote: “…OS information…”
  • [T1078] Valid Accounts – Credentials are used to access known CSAM websites, revealing cross-site activity. Quote: “3,324 unique credentials used to access known CSAM websites.”

Indicators of Compromise

  • [IP Addresses] context – IP addresses mentioned in the findings, and other IPs observed during investigations
  • [Domains] context – known CSAM domains, and related CSAM sources
  • [Cryptocurrency Addresses] context – cryptocurrency wallet addresses identified in case studies, and other addresses

Read more: https://www.recordedfuture.com/caught-in-the-net-using-infostealer-logs-to-unmask-csam-consumers

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint