#stealer

Infostealer infrastructure (URLs, domains, IPs, hashes) - panels, payloads and credential exfil endpoints

Subscribe (RSS)


#stealer

Infostealer infrastructure (URLs, domains, IPs, hashes)

Subscribe (RSS)

IOCs by window

Today

0

IOCs tagged #stealer

Week

11

IOCs tagged #stealer

Month

88

IOCs tagged #stealer

Year

809

IOCs tagged #stealer

Counts as of 2026-05-20. Regenerated daily.

About #stealer

  • Definition: malware family class focused on harvesting credentials, browser cookies, crypto wallets, autofill data, FTP / SSH keys and other secrets, then exfiltrating to operator panels. MITRE ATT&CK technique T1555 (Credentials from Password Stores) covers the credential-grab phase.
  • Common families: Lumma (LummaC2), RedLine, Vidar, Raccoon, MetaStealer, AgentTesla, FormBook (info-stealer mode), Stealc.
  • Detection: EDR rules on browser-DPAPI / SQLite reads, panel-URL blocklists, YARA on packed loaders, and credential-monitoring services that detect when stolen creds appear in marketplaces.
  • References: MITRE ATT&CK T1555 · per-family tags #Lumma.

Recent IOCs tagged #stealer

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/stealer.

Date Type Value Source
May 15, 18:30 domain cyber.netsecops.io @NetSecIO
May 15, 18:30 url http://cyber.netsecops.io @NetSecIO
May 15, 09:54 md5 b0d1c3dec824760a58c2a138fe2f27c9 @suyog41
May 14, 13:26 sha256 0bf1eda8374ff2e3eb705e37eac8d65750a4d85454f535346100056399eb... @GenThreatLabs
May 14, 13:26 sha256 e72ec2cbe762ca672a14a7ee660c0cab61ba020267c56f9ab8982e3be1f6... @GenThreatLabs
May 14, 13:26 sha256 58fe4ed4bc57c28b4da6b9230ff4c9d62528cdc00bba79b9f105d2a74242... @GenThreatLabs
May 14, 08:47 ip 178.16.53.166 @Fact_Finder03
May 14, 06:06 ip 194.163.148.133 @Fact_Finder03
May 14, 06:06 sha256 892aa7559852a22b8bc7a38df7c2f2cdd866e4c28a8177d80df6190d2eb6... @Fact_Finder03
May 14, 04:18 domain cherepahanataha.com @masaomi346

Related tags

Tags that frequently co-occur with #stealer.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is an infostealer?

An infostealer is a class of malware focused on data theft rather than persistence or destruction. Once executed, it harvests credentials from browsers, cookies, crypto wallets, autofill data, FTP / SSH keys and similar secrets, then exfiltrates them to an operator-controlled panel. Stolen credentials are typically resold on criminal marketplaces.

How do credentials from stealers end up being used?

Operators bundle stolen credentials into "logs" sold on marketplaces. Buyers - often initial-access brokers or ransomware affiliates - replay the credentials against the victim's enterprise services (corporate email, VPNs, cloud consoles, single-sign-on). Successful re-use frequently leads to more serious downstream intrusions.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Stealer-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Stealer subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Stealer IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).