Screenshot-to-caught: AI uses criminal screenshots to track malware campaigns

Cybersecurity researchers at Black Hat demonstrated how artificial intelligence can analyze screenshots left behind by cybercriminals to identify and track infostealer malware campaigns. The breakthrough technique uses dual large language models to process images that hackers inadvertently create while stealing data, potentially enabling earlier detection and prevention of these attacks.

What you should know: Infostealer malware campaigns often leave digital breadcrumbs in the form of screenshots, which researchers can now analyze using AI to understand attack patterns.

• The malware typically spreads through fake cracked software downloads, stealing everything from crypto wallets to password manager data without requiring administrator privileges.
• Cybercriminals package stolen data and resell it through subscription services on platforms like Telegram, often including screenshots to demonstrate the value of their stolen information.
• Flare, a cybersecurity company, acquired millions of these stolen information packages to develop their AI-powered analysis system.

How the AI system works: The technique employs two separate large language models working in sequence to extract meaningful intelligence from cybercriminal screenshots.

• The first AI model analyzes each image and generates formatted text descriptions, identifying visible URLs, signs of cracked software, and instructions to disable antivirus protection.
• A second AI model processes these descriptions to identify infection vectors and campaign themes, enabling researchers to track malware families and understand their distribution tactics.
• “When I came to this project, I thought I’d just translate my thoughts to the LLM, as if it were a human,” said Estelle Ruellan, Flare’s threat intelligence researcher. “It’s a simple task—identify the infection vector. But the LLM did not think or act like a human.”

Primary attack vectors: Research revealed that cybercriminals rely heavily on legitimate platforms to distribute their malware rather than traditional email attachments.

• “We saw YouTube as a massive distribution system,” Ruellan explained. “It works, and it’s free. Second was Google ads, leveraged to get the top spot. It’s a fast lane to the users’ trust.”
• Two successful campaigns analyzed included fake MidJourney access and a Java-based attack dubbed “Java Blitz” that spread worldwide in a single weekend.
• “These two successful campaigns used simple tricks,” noted Olivier Bilodeau, Flare’s principal security researcher. “Threat actors rely on simple psychological tactics because they still work.”

Why this matters: The research provides a new weapon in the cybersecurity arsenal by turning criminals’ own documentation against them.

• “They are taking selfies of a crime scene,” Bilodeau said. “There’s so much info we can extract.”
• The technique could enable proactive threat hunting and faster response times to emerging malware campaigns.
• “As long as they keep sharing screenshots, we will be able to track them,” Ruellan concluded.

What they’re saying: Experts emphasized the psychological elements that make these attacks successful.

• “If it’s free and shady, you are likely the victim,” warned Ruellan.
• The research team advised security professionals to find ways to apply analyst intuition to AI systems for improved threat detection.