Skip to content

Terminology

Here you can find a glossary of various terms associated with the topic of infostealers, with explanations of how HackedList.io can help.

🦠 Infostealer malware

Type of malicious software, that steals various information from victim's computer and sends it to attacker's server. Such information might include:

  • All passwords stored in the browser
  • Cookie files
  • Screenshots
  • Browsing history
  • List of downloaded files
  • Autofill information saved by the user
  • Sensitive documents stored on the disk
  • VPN access
  • Access to email accounts (Outlook, Thunderbird, etc.)
  • Access to IM applications (Telegram, Discord, etc.)

These information are often exploited by other threat-actors to gain access to the victim's employer's network.

Some examples of known infostealer malware families include:

  • RedLine
  • META stealer
  • LummaC2
  • Rhadamanthys
  • Vidar
  • Raccoon stealer
  • RisePro
  • StealC
  • Monster stealer

In total, we have detected over 60 different infostealer output formats and our research shows that the landscape is constantly evolving, as older, unmaintained types of malware are getting replaced with newer versions all the time.

You can read more about the infostealer ecosystem in our blog post.

What can HackedList.io do about that?

While it's nearly impossible to prevent infostealer infection, especially when you don't have total control over your employee's devices, HackedList.io can help you detect it happened, before the attack utilizing stolen credentials can happen.

🛒 (Darknet) marketplace

Darknet marketplace is (usually) a website, often accessible only through Tor, that allows to trade various illicit goods, from drugs to stolen information. When attackers want to monetize the data they obtained by spreading infostealer malware, they often upload it to such marketplace, which allows other threat-actors search through the available records and buy these that are relevant to them.

Examples of known marketplaces focusing on selling data obtained by infostealer infections:
- Russian Market (active as of 2025-01-21)
- Exodus Market (active as of 2025-01-21)
- Genesis Market (defunct)
- 2Easy (defunct)

In total, millions of records (where each record means one infected computer) are being advertised on these platforms, with thousands more being added every day.

What can HackedList.io do about that?

We are automatically monitoring these marketplaces with a set of up-to-date scrapers, and notify our users, when their data are detected for sale. On request, which can be created through our Portal, we can also obtain these information for you, so that you can take immediate action.

📁 "Log" / package

While confusing at first, log in the infostealer context basically means "a package with all information the malware was able to extract from the infected machine". It's a folder / compressed archive containing number of .txt files, sometimes also a screenshot from the compromised device and documents (.docx, .pdf and similar) extracted from the user's filesystem.

Structure of the "log" might look like this:

./ImportantAutofills.txt
./Cookies
./Cookies/Microsoft_[Edge]_Default Network.txt
./InstalledBrowsers.txt
./InstalledSoftware.txt
./ProcessList.txt
./DomainDetects.txt
./Passwords.txt
./UserInformation.txt
./Autofills
./Autofills/Google_[Chrome]_Default.txt
./Screenshot.jpg

Names of the files and their contents differs between various types, but generally is similar across all of them.

What can HackedList.io do about that?

We are automatically processing thousands of such packages every day, constantly developing and updating our parsers to cover all types of infostealers that are out there. Information extracted from these packages are being stored in our ever-growing database, which is the core of our product.

☁️ "Log cloud"

Log cloud is a service that provides it's users with more or less recent logs on regular basis. It might take form of a Telegram channel, a dedicated website, a MEGA.nz folder accessible only to those that paid a fee or any other, principle is the same.

Their administrators seek to monetize logs (either their own, or found elsewere) by selling them in bulk to those willing to pay. While on a darknet marketplace, you usually pay for one specific log, by subscripting to log cloud, you can get access to thousands of them at once, every day. These logs are often of worse quality than those found on the darknet marketplaces, yet still can provide significant value to treat-actor willing to spend time going through them.

You can read more about the way log clouds operate in our blog post.

What can HackedList.io do about that?

HackedList.io operates a network of darknet crawlers and Telegram bots, constantly looking for new log clouds. We infiltrate such channels on your behalf and provide you with easy access to data we obtained there through our Portal.

📝 Combolist / ULP

With each log being from few kilobytes to few megabytes large, whole log cloud can then ammount to dozens of terabytes. Number of attackers are only interested in the combination of URL, username and password (or just in the email + password) and they don't require the whole package. Actors distributing the stolen material came up with a solution to this problem: they combine all the extracted URL/username/password combinations to a single text file, each line a containing a pair of credentials.

Attackers can then simply search through a large text file, instead of going through terabytes of data they have no use for. Such text files are commonly known as ULP lists (name based on the URL:Login:Password format), or combolists (because it's a combination of credentials found on many different places).

Our research shows, that ULP lists mostly contain exactly the same information that can be found in the traditional log clouds (because they are composed from files found in them), although sometimes contain something extra (when some threat-actor decides to publish their data only in the form of ULP list).

You can read more about ULP lists and combolists in our blog post.

What can HackedList.io do about that?

We already started gathering this type of data and we are in the process of integrating it in the Portal. This functionality will be available soon to all our users.