We noticed a significant influx of stealer log data appearing on a public Telegram channel on May 7th, 2024, under the moniker "TOR_LOG MIX 299PCS." What struck us immediately was the raw, unadulterated nature of the information contained within, suggesting a direct dump from an active infostealer campaign rather than a curated or compromised database. The sheer volume, while not astronomical, combined with the inclusion of plaintext credentials and API endpoints, presented a potent cocktail of immediate risk. This discovery necessitates a rapid assessment of our own telemetry for any indicators of compromise related to similar exfiltration patterns.

The breach, identified as a stealer log, surfaced from a Telegram user and contained 4903 distinct records. The leaked data types are particularly concerning, encompassing email addresses, plaintext passwords, and URLs, likely representing compromised browser sessions, application logins, and potentially API access points. The source structure indicates a direct dump from an infostealer's loot, meaning it's a snapshot of what the malware successfully exfiltrated from infected endpoints. These logs were found to be publicly accessible on the aforementioned Telegram channel, posing an immediate threat of credential stuffing and unauthorized access for any exposed accounts. The implications extend beyond individual user accounts, as the presence of API host information could reveal vulnerabilities in backend systems or third-party integrations.

While this specific incident may not have garnered widespread media attention, the underlying threat of infostealer logs is a persistent concern within the cybersecurity landscape. Numerous reports from security firms like Mandiant and CrowdStrike regularly detail the evolving tactics of malware families such as RedLine, Vidar, and Raccoon, which are primary contributors to these types of data dumps. OSINT investigations frequently uncover similar repositories of stolen credentials on various dark web forums and public messaging platforms, underscoring the continuous availability of such compromised data to malicious actors. The "TOR_LOG MIX 299PCS" upload is a stark reminder of the persistent danger posed by these readily accessible caches of sensitive information.

Email · Addresses · Plaintext · Password · Urls

We noticed an alarming upload on a public Telegram channel on April 20, 2024, identified as "TOR_LOG MIX 299PCS." This file contained a substantial collection of compromised endpoint data, raising immediate concerns about potential downstream impacts. What struck us most was the presence of plaintext passwords alongside email addresses and API host URLs, a combination that significantly lowers the barrier for attackers to pivot into other systems. The sheer volume, while not catastrophic, is concerning given the readily exploitable nature of the exposed credentials.

The "TOR_LOG MIX 299PCS" file, uploaded by an anonymous Telegram user, appears to be a compilation of stealer logs. It contains 4,033 distinct records, each detailing an endpoint that was compromised by malware. Within these records, we identified several critical data types: email addresses, plaintext passwords, and associated API host URLs. The presence of plaintext passwords is a significant vulnerability, as it bypasses the need for brute-force or credential stuffing attacks. The API host URLs suggest that these compromised endpoints were configured to interact with specific services, potentially revealing avenues for further exploitation or data exfiltration from those integrated systems. The threat theme here is clearly credential harvesting via infostealer malware, with the data likely originating from a diverse set of compromised personal or corporate devices.

While this specific upload has not garnered widespread media attention, the nature of stealer logs is a persistent concern within the cybersecurity community. Numerous OSINT sources and threat intelligence reports regularly highlight the proliferation of such logs on dark web forums and public messaging platforms. Research from organizations like Mandiant and CrowdStrike frequently details the methods employed by infostealer malware, which often targets browser credentials, cryptocurrency wallets, and other sensitive information. The "TOR_LOG MIX 299PCS" leak aligns with these observed trends, underscoring the ongoing threat posed by readily available, compromised credential dumps.

Email · Addresses · Plaintext · Password · Urls