Automating Infostealer Analysis with a Two-Layer LLM Pipeline

TLDR: Researchers at DEF CON 2025 demonstrated a two-layer LLM pipeline that automates the analysis of information stealer malware by processing victim desktop screenshots. The first layer performs a visual assessment to identify the infection vector, while the second layer extracts and validates Indicators of Compromise (IoCs) like malicious URLs. This technique allows security teams to track malware campaigns at scale, bypassing traditional code-based detection methods that often fail against packed or obfuscated payloads.

Information stealers are a persistent headache for security teams. They are rarely sophisticated in terms of exploit chains, but they are incredibly effective at scale. Threat actors rely on simple psychological manipulation, such as offering free "cracked" versions of popular software like Adobe Photoshop or Midjourney, to trick users into executing malicious binaries. Once executed, these stealers scrape credentials, browser data, and crypto wallets before exfiltrating the loot to C2 infrastructure, often hosted on platforms like Telegram.

The primary challenge for defenders is the sheer volume of these logs. Analyzing them manually is impossible, and traditional signature-based detection often fails because the malware is frequently repacked or obfuscated. This research shifts the focus from the binary itself to the visual artifacts left behind on the victim's desktop, using LLMs to turn unstructured visual data into actionable intelligence.

The Two-Layer LLM Pipeline

The core of this research is a pipeline that treats the victim's desktop screenshot as a primary source of truth. The researchers identified that threat actors often include a screenshot as part of the infection process, providing a "mid-heist selfie" that contains all the clues needed to reconstruct the attack.

The pipeline operates in two distinct stages:

1. Visual Assessment: The first LLM layer processes the raw screenshot. It is prompted to categorize the scene into one of three classes: web-based, file system-based, or hybrid. It then extracts specific details, such as the software being installed, visible browser tabs, and any suspicious download links.
2. IoC Extraction and Validation: The second layer takes the structured description from the first and performs the heavy lifting of extracting and validating IoCs. It filters out dead links and focuses on the "theme" of the infection, which is critical for tracking campaign attribution.

This separation of concerns is vital. By forcing the first layer to act as a visual interpreter and the second as an analyst, the researchers avoided the common pitfalls of "hallucination" that plague single-prompt LLM implementations.

Prompt Engineering for Security Context

The researchers emphasized that an LLM cannot simply "figure it out." You must translate analyst intuition into precise instructions. The prompt structure used for the first layer is a masterclass in providing context:

### Main Content:
Describe the main content visible on the screen, including as much detail as possible.

### Files/Programs:
Installer: Focus on installers or setup windows. If a file is being installed, get the name of the file or the path.
File explorer: Focus on file explorers. List the names of files and their extensions in this section.

### URL:
Detail all URLs you see. If there are no URLs, put "X".

### Browser Tabs Analysis:
Parse bookmarks. For each active browser tab in the top row, list in this format:
- [Logo: Name] [text: (visible text)] [meaning/context (if apparent)]. If there aren't any webpages, put "X".

### Suspicious Elements:
Highlight any file, executable, program, URL, or download link that could contain malware.

By structuring the input this way, the pipeline consistently identifies the infection vector, even when the underlying binary changes. This is a significant advantage over OWASP-style signature matching, which is easily defeated by minor code changes.

Real-World Applicability for Pentesters

For a penetration tester or a bug bounty hunter, this approach is a force multiplier. During an engagement, you often encounter custom malware or obfuscated droppers. Instead of spending hours in a debugger, you can use this pipeline to quickly triage the infection flow. If you have access to a sandbox that captures desktop screenshots, you can feed those images into this pipeline to instantly extract the C2 infrastructure and the lure theme.

The researchers also highlighted how threat actors use Google Ads to place malicious sites at the top of search results. This "fast lane" to user trust is a critical component of modern campaigns. By automating the identification of these ads, you can provide your clients with a much more accurate picture of their external attack surface.

Defensive Considerations

Defenders should focus on the "lure themes." If you see a spike in users searching for "cracked software" or "gaming cheats," you are likely seeing the early stages of an infostealer campaign. The most effective defense remains user education: if it is free and shady, the user is the product. Never disable Windows Defender or other security controls to run an untrusted binary.

This research proves that we don't always need to reverse-engineer the binary to understand the threat. Sometimes, the most valuable intelligence is sitting right there on the desktop, waiting to be read. If you are interested in the technical implementation, the researchers have published their findings in a paper available on arXiv. Start by automating the low-hanging fruit, and let the LLMs handle the noise while you focus on the actual campaign infrastructure.