Hackers Dropping Mid-Heist Selfies
Black Hat USA 2025 · Day 1 · Briefings
Researchers built a two-layer LLM pipeline to analyze over 15 million screenshots automatically captured by information-stealer malware at the moment of infection. By applying analyst intuition as structured prompt engineering, the system extracts infection vectors, live indicators of compromise (IoCs), and campaign themes at scale — revealing two active campaigns (Midjourney and "Blitz Java") that each accounted for five to six percent of all infections in the dataset, and exposing a systematic playbook threat actors use to lure and infect victims. ---
AI review
Fifteen million info-stealer screenshots analyzed by an LLM pipeline at $0.003 each — the two-layer architecture is smart, the Blitz Java Google Ads campaign is a clean case study, and live IoC extraction from malware crime-scene selfies is genuinely useful. A bit thin on threat actor novelty, but the operational tooling is real.