PegasusCloud PegasusCloud uploaded by a Telegram User

We've been tracking a steady rise in stealer log data surfacing on Telegram channels, but what caught our attention about this particular dump wasn't the size, but the specificity of the target. The data focused almost exclusively on credentials and configurations related to PegasusCloud, a service we hadn't previously seen as a prominent target. The setup here felt different because it was so focused.

PegasusCloud Credentials Surface in Telegram Leak

In late June 2025, a Telegram user posted a stealer log file containing 31,912 records pertaining to PegasusCloud. What made this leak stand out was its concentrated focus, suggesting a targeted campaign rather than a broad-spectrum credential harvesting operation. The data had been circulating quietly, but we noticed it gaining traction within several closed Telegram groups known for trading in cloud service credentials. This matters to enterprises now because it highlights the ongoing risk of targeted attacks against specific cloud platforms, even those not widely recognized as high-profile targets.

Key point: Total records exposed: 31,912

Key point: Types of data included: Email Addresses, Plaintext Passwords, URLs, API Host

Key point: Source structure: Stealer Log

Key point: Leak location: Telegram

Key point: Date of first appearance: June 23, 2025

Stealer logs are an increasingly common vector for initial access, as reported by CrowdStrike in their 2024 Global Threat Report. The report highlights the automation of stealer log analysis and deployment, lowering the barrier to entry for malicious actors. The fact that the passwords were in plaintext significantly increases the risk of account takeover and lateral movement within affected environments. The compromised URLs and API hosts further compound the risk, potentially enabling attackers to access sensitive data or launch further attacks.

Email · Addresses · Plaintext · Password · Urls