LLM-Based Identification of Infostealer Infection Vectors from Screenshots: The Case of Aurora

TL;DR

This paper presents a novel LLM-based method to analyze infection screenshots for identifying malware infection vectors, specifically for Aurora, enabling scalable threat intelligence and early intervention.

Contribution

It introduces a new approach using GPT-4o-mini to analyze screenshots for IoCs, infection vectors, and campaigns, filling a gap in reactive malware analysis.

Findings

Extracted 337 URLs and 246 files from 1000 screenshots

Identified three distinct malware campaigns

Demonstrated the effectiveness of LLMs in threat analysis

Abstract

Infostealers exfiltrate credentials, session cookies, and sensitive data from infected systems. With over 29 million stealer logs reported in 2024, manual analysis and mitigation at scale are virtually unfeasible/unpractical. While most research focuses on proactive malware detection, a significant gap remains in leveraging reactive analysis of stealer logs and their associated artifacts. Specifically, infection artifacts such as screenshots, image captured at the point of compromise, are largely overlooked by the current literature. This paper introduces a novel approach leveraging Large Language Models (LLMs), more specifically gpt-4o-mini, to analyze infection screenshots to extract potential Indicators of Compromise (IoCs), map infection vectors, and track campaigns. Focusing on the Aurora infostealer, we demonstrate how LLMs can process screenshots to identify infection vectors, such as malicious URLs, installer files, and exploited software themes. Our method extracted 337 actionable URLs and 246 relevant files from 1000 screenshots, revealing key malware distribution methods and social engineering tactics. By correlating extracted filenames, URLs, and infection themes, we identified three distinct malware campaigns, demonstrating the potential of LLM-driven analysis for uncovering infection workflows and enhancing threat intelligence. By shifting malware analysis from traditional log-based detection methods to a reactive, artifact-driven approach that leverages infection screenshots, this research presents a scalable method for identifying infection vectors and enabling early intervention.