2025-06-21 –, Track 1 (UC Conf. Rm. A) (2nd Floor)
Infostealers are central to today’s cybercrime economy, enabling large-scale credential theft and driving an ecosystem of illicit trade. This talk examines the infostealer lifecycle, the mass resale of stolen data through automated platforms, and how their accessibility sustains a growing criminal market. It also explores the economic structures that enable this malware-as-a-service model and its implications for defenders attempting to cease it's utilizations by adversaries.
Infostealers have become a central feature of the modern threat landscape, increasingly used by both cybercriminals and state-aligned actors. These tools, once seen as opportunistic malware, now play a consistent role in incidents across sectors. Mandiant reported that stolen credentials appeared in 16 percent of intrusions it investigated in 2024, providing insight on how credential theft is now a routine part of adversary operations.
This talk explores the growing operational role of infostealers and their integration into broader attack chains. These tools silently extract sensitive data such as credentials, cookies, and autofill information, which are packaged into logs and sold at scale. The commodification of these logs enables a wide range of follow-on activity, including account takeovers, lateral movement, and ransomware deployment.
We will examine key infostealer families, how they are distributed through malware-as-a-service models, and how adversaries use this data to bypass authentication and establish persistent access. Logs harvested by infostealers often end up in automated markets or Telegram channels, where they are reused by multiple actors, blurring the line between financially motivated crime and targeted espionage.
The session also highlights detection and response challenges. Credential logs can be used long after initial compromise, making it difficult to link access to a single intrusion. Their use by both low-level threat actors and sophisticated groups complicates attribution and undermines traditional perimeter defenses.
By analyzing how infostealers fuel both opportunistic and strategic operations, this talk provides insight into one of the most persistent and underexamined components of today’s cyber threats. Understanding their role is essential for anticipating how threat actors will evolve and how defenders must adapt.
Jonathan Gonzalez graduated from the University of Texas at San Antonio with a major in Cybersecurity and Information Systems and a minor in Digital Forensics in 2020. During his collegiate career he worked in Application Security, Security Operations and Vulnerability Management before doing Digital Forensics and Incident Response (DFIR) at Crowdstrike. He is now an Assistant Vice President (AVP) of Cyber Threat Intelligence at Synchrony Financial, where he works to build and test enterprise defenses for key stakeholders. Currently, he is a graduate student studying Global Security Studies at Johns Hopkins University, deepening his understanding of the intersection between cybersecurity and global security. Outside of his professional and academic pursuits, Jonathan enjoys lifting weights, traveling, engaging with the Warhammer 40k universe, and reading military history.