#stealer

Infostealer infrastructure (URLs, domains, IPs, hashes) - panels, payloads and credential exfil endpoints


#stealer

Infostealer infrastructure (URLs, domains, IPs, hashes)

IOCs by window

Today

13

IOCs tagged #stealer

Week

20

IOCs tagged #stealer

Month

116

IOCs tagged #stealer

Year

871

IOCs tagged #stealer

Counts as of 2026-04-29. Regenerated daily.

About #stealer

  • Definition: malware family class focused on harvesting credentials, browser cookies, crypto wallets, autofill data, FTP / SSH keys and other secrets, then exfiltrating to operator panels. MITRE ATT&CK technique T1555 (Credentials from Password Stores) covers the credential-grab phase.
  • Common families: Lumma (LummaC2), RedLine, Vidar, Raccoon, MetaStealer, AgentTesla, FormBook (info-stealer mode), Stealc.
  • Detection: EDR rules on browser-DPAPI / SQLite reads, panel-URL blocklists, YARA on packed loaders, and credential-monitoring services that detect when stolen creds appear in marketplaces.
  • References: MITRE ATT&CK T1555 · per-family tags #Lumma.

Recent IOCs tagged #stealer

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/stealer.

Date Type Value Source
Apr 29, 11:17 domain qusetagent.com @suyog41
Apr 29, 11:17 url http://qusetagent.com @suyog41
Apr 29, 11:17 md5 dcb3f8501b0e060ef5a180d9605d6681 @suyog41
Apr 29, 10:33 domain cloud-verificate.com @suyog41
Apr 29, 10:33 url http://cloud-verificate.com @suyog41
Apr 29, 10:33 md5 f920747af86b9e42e38a530ff977b499 @suyog41
Apr 29, 08:20 md5 229a945794ad056001982803a6a58a8c @suyog41
Apr 29, 06:55 url http://stake-casino.stream @suyog41
Apr 29, 06:55 domain iuta.today @suyog41
Apr 29, 06:55 url http://iuta.today @suyog41

Related tags

Tags that frequently co-occur with #stealer.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is an infostealer?

An infostealer is a class of malware focused on data theft rather than persistence or destruction. Once executed, it harvests credentials from browsers, cookies, crypto wallets, autofill data, FTP / SSH keys and similar secrets, then exfiltrates them to an operator-controlled panel. Stolen credentials are typically resold on criminal marketplaces.

How do credentials from stealers end up being used?

Operators bundle stolen credentials into "logs" sold on marketplaces. Buyers - often initial-access brokers or ransomware affiliates - replay the credentials against the victim's enterprise services (corporate email, VPNs, cloud consoles, single-sign-on). Successful re-use frequently leads to more serious downstream intrusions.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Stealer-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Stealer subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Stealer IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).