Cybersecurity researchers at Black Hat demonstrated how artificial intelligence can analyze screenshots left behind by cybercriminals to identify and track infostealer malware campaigns. The breakthrough technique uses dual large language models to process images that hackers inadvertently create while stealing data, potentially enabling earlier detection and prevention of these attacks.
What you should know: Infostealer malware campaigns often leave digital breadcrumbs in the form of screenshots, which researchers can now analyze using AI to understand attack patterns.
- The malware typically spreads through fake cracked software downloads, stealing everything from crypto wallets to password manager data without requiring administrator privileges.
- Cybercriminals package stolen data and resell it through subscription services on platforms like Telegram, often including screenshots to demonstrate the value of their stolen information.
- Flare, a cybersecurity company, acquired millions of these stolen information packages to develop their AI-powered analysis system.
How the AI system works: The technique employs two separate large language models working in sequence to extract meaningful intelligence from cybercriminal screenshots.
- The first AI model analyzes each image and generates formatted text descriptions, identifying visible URLs, signs of cracked software, and instructions to disable antivirus protection.
- A second AI model processes these descriptions to identify infection vectors and campaign themes, enabling researchers to track malware families and understand their distribution tactics.
- “When I came to this project, I thought I’d just translate my thoughts to the LLM, as if it were a human,” said Estelle Ruellan, Flare’s threat intelligence researcher. “It’s a simple task—identify the infection vector. But the LLM did not think or act like a human.”
Primary attack vectors: Research revealed that cybercriminals rely heavily on legitimate platforms to distribute their malware rather than traditional email attachments.
- “We saw YouTube as a massive distribution system,” Ruellan explained. “It works, and it’s free. Second was Google ads, leveraged to get the top spot. It’s a fast lane to the users’ trust.”
- Two successful campaigns analyzed included fake MidJourney access and a Java-based attack dubbed “Java Blitz” that spread worldwide in a single weekend.
- “These two successful campaigns used simple tricks,” noted Olivier Bilodeau, Flare’s principal security researcher. “Threat actors rely on simple psychological tactics because they still work.”
Why this matters: The research provides a new weapon in the cybersecurity arsenal by turning criminals’ own documentation against them.
- “They are taking selfies of a crime scene,” Bilodeau said. “There’s so much info we can extract.”
- The technique could enable proactive threat hunting and faster response times to emerging malware campaigns.
- “As long as they keep sharing screenshots, we will be able to track them,” Ruellan concluded.
What they’re saying: Experts emphasized the psychological elements that make these attacks successful.
- “If it’s free and shady, you are likely the victim,” warned Ruellan.
- The research team advised security professionals to find ways to apply analyst intuition to AI systems for improved threat detection.
Recent Stories
DOE fusion roadmap targets 2030s commercial deployment as AI drives $9B investment
The Department of Energy has released a new roadmap targeting commercial-scale fusion power deployment by the mid-2030s, though the plan lacks specific funding commitments and relies on scientific breakthroughs that have eluded researchers for decades. The strategy emphasizes public-private partnerships and positions AI as both a research tool and motivation for developing fusion energy to meet data centers' growing electricity demands. The big picture: The DOE's roadmap aims to "deliver the public infrastructure that supports the fusion private sector scale up in the 2030s," but acknowledges it cannot commit to specific funding levels and remains subject to Congressional appropriations. Why...
Oct 17, 2025Tying it all together: Credo’s purple cables power the $4B AI data center boom
Credo, a Silicon Valley semiconductor company specializing in data center cables and chips, has seen its stock price more than double this year to $143.61, following a 245% surge in 2024. The company's signature purple cables, which cost between $300-$500 each, have become essential infrastructure for AI data centers, positioning Credo to capitalize on the trillion-dollar AI infrastructure expansion as hyperscalers like Amazon, Microsoft, and Elon Musk's xAI rapidly build out massive computing facilities. What you should know: Credo's active electrical cables (AECs) are becoming indispensable for connecting the massive GPU clusters required for AI training and inference. The company...
Oct 17, 2025Vatican launches Latin American AI network for human development
The Vatican hosted a two-day conference bringing together 50 global experts to explore how artificial intelligence can advance peace, social justice, and human development. The event launched the Latin American AI Network for Integral Human Development and established principles for ethical AI governance that prioritize human dignity over technological advancement. What you should know: The Pontifical Academy of Social Sciences, the Vatican's research body for social issues, organized the "Digital Rerum Novarum" conference on October 16-17, combining academic research with practical AI applications. Participants included leading experts from MIT, Microsoft, Columbia University, the UN, and major European institutions. The conference...