Researchers Link the premiumArtHouse Cloud Log to 46,359 Stolen Credentials on Telegram

In March 2026, HEROIC analysts confirmed the premiumArtHouse Cloud.part01 stealer log had been uploaded to Telegram and was circulating among threat actors. The file exposed 46,359 records sourced from infected endpoint devices, each containing an email address, a plaintext password, and the URL where that credential was actively in use at the time of infection. This is the first part of a two-file stealer log campaign distributed under the premiumArtHouse Cloud label.

What Makes Stealer Log Credentials More Dangerous Than Breached Database Dumps

Traditional database breaches expose records from a single company's servers. Stealer logs are different. The data comes from individual people's devices, collected in real time while the malware was running. That means the credentials are almost always current, the accounts are almost always still active, and the passwords likely haven't been changed because the victims don't know they were compromised.

The URL data compounds the risk significantly. An attacker sorting this file by domain can instantly isolate all records tied to financial services, email providers, or social media platforms and target those accounts with priority. No guesswork, no testing at random. The attack path is already laid out in the file.

What Was Exposed in the premiumArtHouse Cloud Part 1 Stealer Log

• Email Addresses: Real user identifiers harvested from active browser sessions, linking stolen data to specific individuals.
• Plaintext Passwords: Unencrypted credentials pulled directly from browser storage, usable immediately with no decryption required.
• URLs: The exact web services and platforms where each credential pair was in active use at the time the device was infected.

Why 46,359 Records From This Campaign Pose a Broader Risk

The premiumArtHouse Cloud campaign spans at least two files, with Part 1 alone accounting for 46,359 records. Together with Part 2, the campaign likely represents a combined dataset exceeding 90,000 records from the same malware distribution operation. That scale suggests a coordinated effort rather than opportunistic infection, pointing to a threat actor deliberately targeting large numbers of devices.

Once this data enters Telegram channels, it spreads rapidly. It gets agregated into larger combolist databases, merged with data from other stealer campaigns, and fed into automated credential stuffing tools. Even users who have never heard of the premiumArtHouse Cloud campaign could find their credentials in these secondary datasets. Account takeover, identity theft, and financial fraud are all natural downstream consequences when stealer log data reaches this scale of distribution.

How Information Stealers Harvest Credentials From Real Devices

Information stealers are a category of malware specifically built to extract saved credentials from web browsers. Once installed on a device, usually through a phishing link, fake software installer, or trojanized download, the malware queries the browser's encrypted credential store and reads out every saved username and password.

The malware also captures the associated URLs because the browser stores them alongside passwords to enable autofill. This is the feature that makes passwords convenient for everyday users, and it is exactly what stealers exploit. The data is bundled into a log file and either sold privately or uploaded to file-sharing channels like Telegram for wide distribution. The naming convention "premiumArtHouse" in this campaign suggests a branded distribution operation, where threat actors package and present logs as premium goods to attract buyers.

Check If Your Credentials Were Part of the premiumArtHouse Cloud Campaign

HEROIC's breach scanner searches across a database of over 400 billion exposed records, including stealer logs from campaigns like this one. Running a scan on your email address is free and takes under a minute. If your data appears in the premiumArtHouse Cloud Part 1 file, you will see the specifics of what was exposed and can take action right away.

Changing a password after an attacker has already used it does not undo the damage. Scanning now, before an incident occurs, is the only way to stay ahead of it. Use HEROIC's free scanner to find out where you stand.