Malware Intelligence

Bot technology is a driving force of innovation. With more than half of all online traffic initiated by autonomous programs, bots are clearly showing no signs of slowing down.

Just like any technology, some bots are good, but the ones we hear about most are the bad ones–the bots being increasingly co-opted by attackers to optimize criminal activity. The main reason for their popularity among criminals is simple: botnets help criminals achieve scale.

SpyCloud helps enterprises identify employees and consumers using infected systems and intervene before criminals can leverage their stolen data for account takeover, identity theft, and online fraud.

Botnets (also called Infostealers) are networks of computers infected with malware, and they help criminals steal information at scale.

Information pilfered by malware-infected machines is shared in small criminal circles, private chat groups, and also posted on underground hacking web forums. When SpyCloud is able to recover this data, we parse out this malware intelligence – including the infected victim’s username, URL, and password – in order to help consumers and organizations protect themselves before criminals can leverage their stolen data for account takeover, identity theft, and online fraud.


Projected average per-hour cost of a DDoS attack in 2021


Increase in IoT attack instances from October 2019 through June 2020 over the previous two years.


More than one-third of an average site’s traffic consists of harmful bots.

The Most Nefarious Information Stealers

Today’s sophisticated malware is distributed by masquerading as legitimate software, malvertising campaigns, advanced phishing campaigns that trick the user to download the malware, SEO poisoning of popular “free” software titles, or delivered as an email attachment (in fact, 94% of malware is delivered via email). And while antivirus software might provide some protection, oftentimes the botnet delivery methods are sophisticated enough to evade detection even by the best antivirus software.

Many users who have been infected with malware have unknowingly had their keystrokes and system information stolen by cybercriminals. Once botnet malware is installed, it steals all manner of information including:

  • Usernames and passwords
  • Hostnames and saved passwords from browsers & FTP clients
  • Cookies from browsers and forms, including autofill data
  • Bitcoin wallets
  • Files with specific extensions
  • Screenshots of the user desktop
  • Chat history
  • List of installed programs and running processes
  • Machine Globally Unique Identifier (GUID) as well system architecture, system language, username and computer name
Sample of data stolen by Predator malware

Infected User Response Guide

Take swift action on mawlare infections. We provide advice on how to contact users with an action plan, including an email template you can use right away.

Infected User Data from SpyCloud

Customers find tremendous value in SpyCloud’s malware intelligence. When SpyCloud finds the credentials of an employee or consumer in a malware log, that usually indicates an active malware infection on their device. It means that:

  • Your employee has used an infected machine to log into a domain or portal with a corporate email address and provided a password to that destination.
  • Your consumer has used an infected machine to enter their username and password on your login page.

More than just their credentials have likely been siphoned, and the danger is amplified in our remote work world. While the risks of an infection on a company-owned system are obvious, infected personal devices can also endanger corporate resources — and they typically aren’t monitored by corporate security. Busy employees often blur the lines between personal and work-related device usage, meaning an infected system at home has the potential to expose work login credentials and data.

Block ATO Early In The Attack Cycle

Traditional solutions rely on blunt-force protection, such as end-point security and web access firewalls. These solutions can potentially turn away customers and revenue. More importantly, they are no match for today’s bots for a number of reasons.

  • Botnets are increasingly adopting strategies that make them more effective at causing damage while avoiding detection. 
  • Botnets are more frequently targeting enterprise IoT and other IoT devices with more complex processors and architectures. 
  • Cryptocurrency botnets are on the rise, and the operators of these botnets often compete fiercely with one another. 
  • Botnets are increasingly used for commercial and retail fraud.

Combatting these sophisticated attacks requires dedicated detection and mitigation techniques. Considering the hyper-speed at which bots are fueling ATO, SpyCloud believes it’s critical to disrupt the criminal’s ability to profit as early as possible. 

SpyCloud is where cybersecurity meets big data. Nowhere is this more apparent than in our experience infiltrating criminal networks to obtain massive troves of stolen data, including botnet stealer logs. SpyCloud has access to botnet data that is rarely available to even the most advanced in-house security teams. We open each log, parse out the data and ingest it into our database, giving you the ability to identify infected users before it’s too late. 

Download our Infected User Remediation Guide

(Example botnet log)


Learn How a Global Fintech Company Uses SpyCloud’s Botnet Data to Protect Customers from Fraud

Read the Case Study

The SpyCloud Difference

SpyCloud is on a mission to disrupt criminals’ ability to profit from stolen information. For enterprises, the best way to disrupt the criminal economy is by understanding account takeover and addressing compromised credentials programmatically. Resetting exposed passwords locks out criminals and keeps them from reaping the benefits of malicious activity.

SpyCloud provides the earliest detection of potentially compromised accounts – those using credentials that have appeared in a third-party breach or in a botnet log. And we automate the remediation of exposed passwords, enabling enterprises to lock down accounts quickly, before damage is done.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Featured Resources

Ready for a Deep Dive?