Skip to main content

Malware Intelligence

Botnets (also called Infostealers) are networks of computers infected with malware, and they help criminals steal information at scale.

Information pilfered by malware-infected machines is shared in small criminal circles, private chat groups, and also posted on underground hacking web forums. SpyCloud is able to recover this data and deliver malware intelligence to enterprises – automated feeds of infected victim’s usernames, URLs, passwords, and session cookies – in order to help consumers and organizations protect themselves before criminals can leverage their stolen data for account takeover, identity theft, and online fraud.

The Most Nefarious Information Stealers

Today’s sophisticated malware is distributed by masquerading as legitimate software, malvertising campaigns, advanced phishing campaigns that trick the user to download the malware, SEO poisoning of popular “free” software titles, or delivered as an email attachment (in fact, 94% of malware is delivered via email). And while antivirus software might provide some protection, oftentimes the botnet delivery methods are sophisticated enough to evade detection even by the best antivirus software.

Many users who have been infected with malware have unknowingly had their keystrokes and system information stolen by cybercriminals. Once botnet malware is installed, it steals all manner of information including:

  • Usernames and passwords
  • Hostnames and saved passwords from browsers & FTP clients
  • Session and device cookie
  • Autofill data
  • Bitcoin wallets
  • Files with specific extensions
  • Screenshots of the user desktop
  • Chat history
  • List of installed programs and running processes
  • Machine Globally Unique Identifier (GUID) as well system architecture, system language, username and computer name
Sample of data stolen by Predator malware

Infected User Response Guide

Take swift action on malware infections. We provide advice on how to contact users with an action plan, including an email template you can use right away.

Infected User Data from SpyCloud

Customers find tremendous value in SpyCloud’s malware intelligence. When SpyCloud finds user credentials or web sessions from your domain in a malware log, that usually indicates an active malware infection on the user’s device device. It means that:

  • Your employee has used an infected machine to log into a domain or portal with a corporate email address and provided a password to that destination.
  • Your consumer has used an infected machine to enter their username and password on your login page, or saved a cookie for your domain that has been captured by malware.

More than just their credentials have likely been siphoned, and the danger is amplified in our remote work world. While the risks of an infection on a company-owned system are obvious, infected personal devices can also endanger corporate resources — and they typically aren’t monitored by corporate security. Busy employees often blur the lines between personal and work-related device usage, meaning an infected system at home has the potential to expose work login credentials and data.

Browser icon with an alert for malware.

Block ATO Early In The Attack Cycle

Traditional solutions rely on blunt-force protection, such as end-point security and web access firewalls. These solutions can potentially turn away customers and revenue. More importantly, they are no match for today’s bots for a number of reasons.

  • Botnets are increasingly adopting strategies that make them more effective at causing damage while avoiding detection. 
  • Botnets are more frequently targeting enterprise IoT and other IoT devices with more complex processors and architectures. 
  • Cryptocurrency botnets are on the rise, and the operators of these botnets often compete fiercely with one another. 
  • Botnets are increasingly used for commercial and retail fraud.

Combatting these sophisticated attacks requires dedicated detection and mitigation techniques. Considering the hyper-speed at which bots are fueling ATO, SpyCloud believes it’s critical to disrupt the criminal’s ability to profit as early as possible. 

SpyCloud is where cybersecurity meets big data. Nowhere is this more apparent than in our experience infiltrating criminal networks to obtain massive troves of stolen data, including botnet stealer logs. SpyCloud has access to botnet data that is rarely available to even the most advanced in-house security teams. We open each log, parse out the data and ingest it into our database, giving you the ability to identify infected users before it’s too late. 

Download our Infected User Remediation Guide

(Example botnet log)
Learn How a Global Fintech Company Uses SpyCloud’s Botnet Data to Protect Customers from Fraud Read the Case Study

The SpyCloud Difference

SpyCloud solutions are backed by the world’s most current and comprehensive repository of recaptured data from breaches, malware infections, and other underground sources – with billions of exposed credentials and PII. It’s the same data that fraudsters use, but we make it actionable to prevent account takeover, ransomware attacks, and online fraud.

Featured Products

Employee ATO Prevention

Protect your organization from breaches and ransomware attacks.

Consumer ATO Prevention

Protect your users from account takeover fraud and unauthorized purchases.

Browser icon with a malware-infected fingerprint.
Session Identity Protection

Stop criminals from using malware-stolen session cookies for fraud and ATO.

Featured Resources

Ready for a Deep Dive?