Loading…
← Back to schedule
From Hours to Minutes With StealerLens: LLM-Accelerated Infostealer IR for Overwhelmed SOCs
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Information stealer malware has quietly become one of the most consequential threats facing modern SOCs, with over 50 million stealer logs posted on underground channels in the last year alone. Each log is a comprehensive digital dossier on a single victim, and the sheer volume has created an analysis bottleneck that is impossible to address at scale.
This session opens with a technical deep dive into what an infostealer actually is and the strange artifact that is a stealer log. Beyond the obvious credentials and session cookies, stealer logs contain things defenders rarely expect: browser password manager extension data (BitWarden, Dashlane, KeePassXC), local KeePass vaults exfiltrated from disk, TOTP secrets leaked from Chrome extensions bypassing MFA, cryptocurrency wallet data, personal documents, and desktop screenshots captured at the exact moment of compromise. We will walk through the full attack surface and show why modern stealers are far more dangerous than "just a credential dump".
Buried inside each log are also forensic breadcrumbs left by the malware itself: execution paths, active processes, installed software, browser history, clipboard contents. These artifacts can reconstruct the infection vector and reveal the malware's behavior, but analyzing them manually takes hours per log. For an overwhelmed SOC triaging a steady stream of incidents, this analysis simply does not happen.
Building on our BlackHat USA 2025 work on LLM-based infection screenshot analysis ("Hackers Dropping Mid-Heist Selfies"), we introduce StealerLens, an LLM-powered forensic tool that collapses this workflow from hours to minutes. StealerLens uses a layered architecture where each log artifact (system info, software inventory, processes, browser history, clipboard, screenshots) is analyzed by a dedicated prompt. A final master prompt correlates the outputs into a cohesive infection narrative: likely source of infection, delivery vector, blast radius of exposed information, and pointing to the supporting evidence so the analyst can verify at a glance.
We will share the full prompt architecture, walk through real anonymized cases, discuss the limits we encountered across our test corpus. Attendees leave with a concrete blueprint for industrializing infostealer log analysis — and making room for the strategic work their SOC actually needs to do.
Speakers
avatar for Olivier Bilodeau

Olivier Bilodeau

Principal Cybersecurity Researcher, Flare
Olivier Bilodeau, a principal researcher at Flare, brings 15+ years of cutting-edge infosec expertise in honeypot operations, binary reverse-engineering, RDP interception and, more recently, fighting information stealer malware. Passionate communicator, Olivier spoke at conferences... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning Software Privacy Terms
Share Modal

Share this link via

Or copy link