For the past year, I have been dismantling the dumps of infostlers - archives from Telegram channels and log marketplaces - and in each second I find the existing VPN or RDP accounts of corporate networks. Not test, not overdue - workers. According to Verizon DBIR 2025, the stolen accounts became the initial vector of 22% of all confirmed leaks - more than any other initial access method. The IBM X-Force Thread Intelligence Index 2025 confirms a shift: Infosellers make up 32% of all malware in 2024 and overtook ransomware in prevalence. Credential-based attacks is a well-functioning conveyor, and then I will show how it works from the first log to domain admin.
Recorded from the words of our colleague. The first person story.
Business logic credential-based tests and the way to ransomware
Why should an attacker break the perimeter if you can enter through the door with someone else's key? According to CrowdStrike Global Threat Report 2025, 86% of attacks have financial motivation (eCrim). Stolen accounts are the cheapest way to get initial access, and the entire economy is built in three stages with individual participants.
Stage 1 - collection. Infostsiler infects the employee's car and pulls out the saved passwords, cookies, tokens. In parallel, credential stuffing attack drives leaked combo lists on public services. MITRE AT&CK - Valid Accounts (T1078, Initial Access) and Brute Force (T1110, Credential Access)
Stage 2 is trade. Logs of stylers go to marketplaces and Telegram for $10-50 for the archive. The Initial access broker (IAB) filters valid corporate accounts, checks access to VPN, RDP, Citrix and resells the “ready input” of ransomware-affiliates for $500-5000. According to ReliaQuest, in Q3 2024, the compromising data compromising 75% of all Digital Risk Protection notifications - eight times more than the next category.
Stage 3 - Operation. Affiliate receives initial access, deploys payload, moves to domain admin, encrypts data. According to Verizon DBIR 2025, the median redemption is $46 000, and the maximum in one incident reached $ 75 million.
Each stage is determined: without the logs there is no IAB, without IAB ransomware operator does not receive the entry point. Compromise of accounting data is the class of risks that OWASP allocates in the category A07:2021 - Identification and Authentication Failures: credential stuffing, weak passwords, no MFA.
Credential stuffing attack and password spraying: mechanics and limitations
Credential stuffing (T1110.004) - automatic substitution of leaked pairs login: password to the services where the user could repeat the same creeds. Password spraying (T1110.003) - reverse mechanics: one common password applies to a large account list to bypass the block.
Both methods exploit the same habit: according to Verizon DBIR 2025, 51% of passwords are repeated between services. In the Have I Been Pwned database, only one Exploit.In combolist contains 593 427 119 unique email addresses with passwords. Half a billion pairs, and that's one sheet.
[Applicable: external pentest, black box, web application without anti-bot]
assword, -t 4 Restricts parallel connections. Burp Suite Intruder solves the same problem via the Pitchfork mode with two payload positions.
Where it doesn't work:
• Rate limiting and lockout: Most SaaS platforms block account after 5-10 failed attempts. Hydra without IP rotation is triggered only on legacy-advanced applications without anti-bot - internal portals forgotten staging environments
• CAPTCHA and anti-bot (Cloudflare, Akamai): credential stuffing attack in pure form will not pass without CAPTCHA solvers
• MFA : Stops 99% of Automated Substitutions But sessional cookies from style logs bypass MFA completely - the attacker will inherit an already authorized session (T1539 Steal Web Sessions)
Password spraying is a big threat on the internal pentest in Active Directory: one or two attempts on the account do not cause a lockout, and the scale of the coverage is thousands of domain accounts. crackmapexec smb <targets> -u users.txt -p 'Summer2024!' or kerbrute passwordspray - and wait.
Infostsel malware: the anatomy of the log archive and the way to initial access
The structure of the typical log archive. Catalog for each browser (Chrome, Edge, Firefox) with files: Passwords.txt - lines in the format URL|Login|Password; Cookies.txt - dump coupi, including session tokens; Autofill.txt - Autocomplete data; System.txt - hostname, IP, OS installed software. For the attacker, the key value is not passwords, but session cookies. Cookies from Okta, Azure AD, Google Workspace give access to corporate services bypassing MFA. The password can be changed - and the cookie that still lives can no longer be withdrawn (until you leak or disable the session forcibly).
Active families (2024–2025):
• LummaC2 is the leader in listings on marketplaces. The infrastructure was temporarily violated by the joint operation of Europol and Microsoft, but recovered
• Redline was the second most common. In October 2024, an international operation eliminated the infrastructure and led to accusations against the developer. According to ReliaQuest, from Q3 to Q4 2023, the number of redline listings increased by 44%
• Rhadamanthys - replaced LummaC2 in some control panels after enforcement
• Raccoon, Vidar - stable stylers with a wide base of operators
The affiliate model. According to Trendai Research (Trend Micro), in 2025 the media environment structurally shifted to the RaaS model. Operators give infrastructure and builds, affiliates distribute malvar and receive 70-80% of revenue. The documented by Trend Micro group CLR Team offered a web panel with build-up, manual crypto service and SEO support. The entry threshold for low-qualified attackers fell to the level of “register and press the button.”
Ransomware initial access: real cases and MITRE ATT&CK mapping
Four cases showing the transformation of stolen credentials into a full-fledged ransomware attack and the group’s APT operation.
BlackCat/ALPHV and Change Healthcare (February 2024)
BlackCat/ALPHV logs in to Change Healthcare through T1078 Valid Accounts - stolen accounts without MFA on a critical service. Next - lateral movement through T1021 Remote Services, data collection (T1114 Email Collection) T1041 Exfiltration Over C2 Channel and Final T1486 Data Encrypted for Impact. The result is the payment of about $ 22 million and mass interruptions in US health care. One account without an MFA and $22 million is gone.
Attacks on Snowflake customers (2024)
The Threat actor used the accounts stolen by the Infosellers back in 2020 to access about 160 Snowflake instances, including AT&T and Ticketmaster. No compromised account has used MFA. Four years ago, the creds turned out to be valid - the user changed the password in the main account, but forgot about Snowflake. Classic history: the main account was updated, and no one remembered about the side service.
MOVEit Transfer - CVE-2023-34362
SQL injection in MOVEit Transfer (CVE-2023-34362, CVSS 9.8 CRITICAL, CVSS vector:3.1/AV:N/AV:L/L/IN/N/UI/NS:::H/H/H:H/H:H/H, CWE-89) allowed the unauthenticant to access the database via HTTP requests. The vulnerability affected Progress MOVEit Transfer and MOVEit Cloud, entered in the CISA KEV on June 2, 2023 as actively operated. Here is the initial access - T1190 Exploit Public-Facting Application, but further kill chain is identical: credential harvesting from database, lateral movement, exfiltration, ransomware.
Volt Typhoon - APT Group and Stolen Accounts
The separate case is APT. Chinese group Volt Typhoon since 2019 penetrated the facilities of the US critical infrastructure through T1078 Valid Accounts and outdated routers. Their TTPs are different from ransomware groups: instead of encryption - long-term presence and preparation for destructive actions. Lateral movement through T1021 Remote Services, evasion through T1070 Indicator Removal and Living off the Land - PowerShellT1059) instead of custom beacon. No custom C2, no zero-day. Only legitimate tools and other people’s accounts.
Lateral movement techniques through stolen account details
[Applicable: internal pentest, grey box - with low-privileged credentials]
Having received an initial access through compromised credos, the attacker moves to domain admin. Lateral movement is based on three techniques.
T1021 Remote Services
[Applicable to: Internal Penttest, Attendance, and Modern Infrastructure]
RDP, SMB, WinRM - standard administration protocols. In the presence of a password or NTLM-hash used impacket-psexec (SMB), evil-winrm (WinRM), xfreerdp (RPDP). On the internal pentest with low-privileged credes issued, the first step is recon: fingerprinting available hosts through crackmapexec smb <subnet>/24 -u user -p password --shares, then check the reuse of passwords throughout the subnet. It’s amazing how often the same password opens a dozen cars.
T1003 OS Credential Dumping
[Applicable: internal pentest. On the modern infrastructure with Credential Guard - limitedly]
After being fixed on the host - LSASS dump to extract NTLM hashes and Kerberos-tickettes. Mimikatz (sekurlsa::logonpasswords) - a standard tool, but is detected from the box.
Detection by vendry:
• CrowdStrike Falcon: captures ASS to the LSASS process through user-mode huki and kernel-level monitoring. Direct dump via Mimikatz is detected without additional configuation
• Elastic 8.x+: uses ETW-TI (Event Tracing for Windows - Threat Intelligence) to detect credential dumping at the core level. T1003.001 (LSASS Memory) is covered by Elastic Defend since version 8.4+
• SentinelOne: Behavioral analysis blocks LSASS access patterns including direct syscals and ntdll unhooking
When the technique is NOT working: Credential Guard (Windows 10+) isolates the secrets of LSASS in a virtual environment - a straight hashesdam is impossible. Remote Credential Guard does not transmit accounts to a remote host. On the legacy infrastructure (Windows Server 2012/2016 without Credential Guard) Pass-the-Hash through impacket-wmiexec -hashes :NTLM_HASH and Kerberoasting through impacket-GetUserSPNs - the main way to privilege escalation. The difference between “caught on modern” and “caught on legacy” is like day and night.
Recorded from the words of our colleague. The first person story.
Business logic credential-based tests and the way to ransomware
Why should an attacker break the perimeter if you can enter through the door with someone else's key? According to CrowdStrike Global Threat Report 2025, 86% of attacks have financial motivation (eCrim). Stolen accounts are the cheapest way to get initial access, and the entire economy is built in three stages with individual participants.
Stage 1 - collection. Infostsiler infects the employee's car and pulls out the saved passwords, cookies, tokens. In parallel, credential stuffing attack drives leaked combo lists on public services. MITRE AT&CK - Valid Accounts (T1078, Initial Access) and Brute Force (T1110, Credential Access)
Stage 2 is trade. Logs of stylers go to marketplaces and Telegram for $10-50 for the archive. The Initial access broker (IAB) filters valid corporate accounts, checks access to VPN, RDP, Citrix and resells the “ready input” of ransomware-affiliates for $500-5000. According to ReliaQuest, in Q3 2024, the compromising data compromising 75% of all Digital Risk Protection notifications - eight times more than the next category.
Stage 3 - Operation. Affiliate receives initial access, deploys payload, moves to domain admin, encrypts data. According to Verizon DBIR 2025, the median redemption is $46 000, and the maximum in one incident reached $ 75 million.
Each stage is determined: without the logs there is no IAB, without IAB ransomware operator does not receive the entry point. Compromise of accounting data is the class of risks that OWASP allocates in the category A07:2021 - Identification and Authentication Failures: credential stuffing, weak passwords, no MFA.
Credential stuffing attack and password spraying: mechanics and limitations
Credential stuffing (T1110.004) - automatic substitution of leaked pairs login: password to the services where the user could repeat the same creeds. Password spraying (T1110.003) - reverse mechanics: one common password applies to a large account list to bypass the block.
Both methods exploit the same habit: according to Verizon DBIR 2025, 51% of passwords are repeated between services. In the Have I Been Pwned database, only one Exploit.In combolist contains 593 427 119 unique email addresses with passwords. Half a billion pairs, and that's one sheet.
[Applicable: external pentest, black box, web application without anti-bot]
Flag -C Specifies a file with pairs in the format loginBash:
# Credential stuffing: trying login
# Hydra is a standard, up-to-date tool supported by (vanhauser-thc/thc-hydra)
hydra -C combo_list.txt target.example.com https-post-form “/login:user=^USER^&pass=^PASS^:Invalid credentials” -t 4 -w 5
assword, -t 4 Restricts parallel connections. Burp Suite Intruder solves the same problem via the Pitchfork mode with two payload positions.Where it doesn't work:
• Rate limiting and lockout: Most SaaS platforms block account after 5-10 failed attempts. Hydra without IP rotation is triggered only on legacy-advanced applications without anti-bot - internal portals forgotten staging environments
• CAPTCHA and anti-bot (Cloudflare, Akamai): credential stuffing attack in pure form will not pass without CAPTCHA solvers
• MFA : Stops 99% of Automated Substitutions But sessional cookies from style logs bypass MFA completely - the attacker will inherit an already authorized session (T1539 Steal Web Sessions)
Password spraying is a big threat on the internal pentest in Active Directory: one or two attempts on the account do not cause a lockout, and the scale of the coverage is thousands of domain accounts. crackmapexec smb <targets> -u users.txt -p 'Summer2024!' or kerbrute passwordspray - and wait.
Infostsel malware: the anatomy of the log archive and the way to initial access
The structure of the typical log archive. Catalog for each browser (Chrome, Edge, Firefox) with files: Passwords.txt - lines in the format URL|Login|Password; Cookies.txt - dump coupi, including session tokens; Autofill.txt - Autocomplete data; System.txt - hostname, IP, OS installed software. For the attacker, the key value is not passwords, but session cookies. Cookies from Okta, Azure AD, Google Workspace give access to corporate services bypassing MFA. The password can be changed - and the cookie that still lives can no longer be withdrawn (until you leak or disable the session forcibly).
Active families (2024–2025):
• LummaC2 is the leader in listings on marketplaces. The infrastructure was temporarily violated by the joint operation of Europol and Microsoft, but recovered
• Redline was the second most common. In October 2024, an international operation eliminated the infrastructure and led to accusations against the developer. According to ReliaQuest, from Q3 to Q4 2023, the number of redline listings increased by 44%
• Rhadamanthys - replaced LummaC2 in some control panels after enforcement
• Raccoon, Vidar - stable stylers with a wide base of operators
The affiliate model. According to Trendai Research (Trend Micro), in 2025 the media environment structurally shifted to the RaaS model. Operators give infrastructure and builds, affiliates distribute malvar and receive 70-80% of revenue. The documented by Trend Micro group CLR Team offered a web panel with build-up, manual crypto service and SEO support. The entry threshold for low-qualified attackers fell to the level of “register and press the button.”
Ransomware initial access: real cases and MITRE ATT&CK mapping
Four cases showing the transformation of stolen credentials into a full-fledged ransomware attack and the group’s APT operation.
BlackCat/ALPHV and Change Healthcare (February 2024)
BlackCat/ALPHV logs in to Change Healthcare through T1078 Valid Accounts - stolen accounts without MFA on a critical service. Next - lateral movement through T1021 Remote Services, data collection (T1114 Email Collection) T1041 Exfiltration Over C2 Channel and Final T1486 Data Encrypted for Impact. The result is the payment of about $ 22 million and mass interruptions in US health care. One account without an MFA and $22 million is gone.
Attacks on Snowflake customers (2024)
The Threat actor used the accounts stolen by the Infosellers back in 2020 to access about 160 Snowflake instances, including AT&T and Ticketmaster. No compromised account has used MFA. Four years ago, the creds turned out to be valid - the user changed the password in the main account, but forgot about Snowflake. Classic history: the main account was updated, and no one remembered about the side service.
MOVEit Transfer - CVE-2023-34362
SQL injection in MOVEit Transfer (CVE-2023-34362, CVSS 9.8 CRITICAL, CVSS vector:3.1/AV:N/AV:L/L/IN/N/UI/NS:::H/H/H:H/H:H/H, CWE-89) allowed the unauthenticant to access the database via HTTP requests. The vulnerability affected Progress MOVEit Transfer and MOVEit Cloud, entered in the CISA KEV on June 2, 2023 as actively operated. Here is the initial access - T1190 Exploit Public-Facting Application, but further kill chain is identical: credential harvesting from database, lateral movement, exfiltration, ransomware.
Volt Typhoon - APT Group and Stolen Accounts
The separate case is APT. Chinese group Volt Typhoon since 2019 penetrated the facilities of the US critical infrastructure through T1078 Valid Accounts and outdated routers. Their TTPs are different from ransomware groups: instead of encryption - long-term presence and preparation for destructive actions. Lateral movement through T1021 Remote Services, evasion through T1070 Indicator Removal and Living off the Land - PowerShellT1059) instead of custom beacon. No custom C2, no zero-day. Only legitimate tools and other people’s accounts.
Lateral movement techniques through stolen account details
[Applicable: internal pentest, grey box - with low-privileged credentials]
Having received an initial access through compromised credos, the attacker moves to domain admin. Lateral movement is based on three techniques.
T1021 Remote Services
[Applicable to: Internal Penttest, Attendance, and Modern Infrastructure]
RDP, SMB, WinRM - standard administration protocols. In the presence of a password or NTLM-hash used impacket-psexec (SMB), evil-winrm (WinRM), xfreerdp (RPDP). On the internal pentest with low-privileged credes issued, the first step is recon: fingerprinting available hosts through crackmapexec smb <subnet>/24 -u user -p password --shares, then check the reuse of passwords throughout the subnet. It’s amazing how often the same password opens a dozen cars.
T1003 OS Credential Dumping
[Applicable: internal pentest. On the modern infrastructure with Credential Guard - limitedly]
After being fixed on the host - LSASS dump to extract NTLM hashes and Kerberos-tickettes. Mimikatz (sekurlsa::logonpasswords) - a standard tool, but is detected from the box.
Detection by vendry:
• CrowdStrike Falcon: captures ASS to the LSASS process through user-mode huki and kernel-level monitoring. Direct dump via Mimikatz is detected without additional configuation
• Elastic 8.x+: uses ETW-TI (Event Tracing for Windows - Threat Intelligence) to detect credential dumping at the core level. T1003.001 (LSASS Memory) is covered by Elastic Defend since version 8.4+
• SentinelOne: Behavioral analysis blocks LSASS access patterns including direct syscals and ntdll unhooking
When the technique is NOT working: Credential Guard (Windows 10+) isolates the secrets of LSASS in a virtual environment - a straight hashesdam is impossible. Remote Credential Guard does not transmit accounts to a remote host. On the legacy infrastructure (Windows Server 2012/2016 without Credential Guard) Pass-the-Hash through impacket-wmiexec -hashes :NTLM_HASH and Kerberoasting through impacket-GetUserSPNs - the main way to privilege escalation. The difference between “caught on modern” and “caught on legacy” is like day and night.
Last edited:
