#stealer

Infostealer infrastructure (URLs, domains, IPs, hashes) - panels, payloads and credential exfil endpoints

Subscribe (RSS)


#stealer

Infostealer infrastructure (URLs, domains, IPs, hashes)

Subscribe (RSS)

IOCs by window

Today

0

IOCs tagged #stealer

Week

10

IOCs tagged #stealer

Month

62

IOCs tagged #stealer

Year

747

IOCs tagged #stealer

Counts as of 2026-06-09. Regenerated daily.

About #stealer

  • Definition: malware family class focused on harvesting credentials, browser cookies, crypto wallets, autofill data, FTP / SSH keys and other secrets, then exfiltrating to operator panels. MITRE ATT&CK technique T1555 (Credentials from Password Stores) covers the credential-grab phase.
  • Common families: Lumma (LummaC2), RedLine, Vidar, Raccoon, MetaStealer, AgentTesla, FormBook (info-stealer mode), Stealc.
  • Detection: EDR rules on browser-DPAPI / SQLite reads, panel-URL blocklists, YARA on packed loaders, and credential-monitoring services that detect when stolen creds appear in marketplaces.
  • References: MITRE ATT&CK T1555 · per-family tags #Lumma.

Recent IOCs tagged #stealer

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/stealer.

Date Type Value Source
Jun 08, 07:37 domain cloud.mail.ru @askardyuss
Jun 08, 07:37 url https://cloud.mail.ru/public/RFLP/RVckpRqm1 @askardyuss
Jun 08, 07:37 md5 ed73908c65575cae4ae7debf23220056 @askardyuss
Jun 08, 07:37 md5 9ff0d43cc02136108bcc9744240c3aa7 @askardyuss
Jun 08, 05:17 domain maplecirrus.com @masaomi346
Jun 08, 05:17 url http://maplecirrus.com @masaomi346
Jun 07, 07:20 domain cedar64.com @masaomi346
Jun 07, 07:20 url http://cedar64.com @masaomi346
Jun 05, 05:45 ip 147.124.212.183 @K_N1kolenko
Jun 05, 05:45 ip 194.156.79.225 @K_N1kolenko

Related tags

Tags that frequently co-occur with #stealer.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is an infostealer?

An infostealer is a class of malware focused on data theft rather than persistence or destruction. Once executed, it harvests credentials from browsers, cookies, crypto wallets, autofill data, FTP / SSH keys and similar secrets, then exfiltrates them to an operator-controlled panel. Stolen credentials are typically resold on criminal marketplaces.

How do credentials from stealers end up being used?

Operators bundle stolen credentials into "logs" sold on marketplaces. Buyers - often initial-access brokers or ransomware affiliates - replay the credentials against the victim's enterprise services (corporate email, VPNs, cloud consoles, single-sign-on). Successful re-use frequently leads to more serious downstream intrusions.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Stealer-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Stealer subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Stealer IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).