Infostealer-driven malware infections continue to increase, driven largely by user behavior, not by exploiting software vulnerabilities. In 2024 alone, over 29 million stealer logs were shared across cybercrime platforms.

A recent study by Flare Systems analyzed 1,000 infection-time screenshots captured by the Aurora infostealer. The objective was to understand how users ended up installing the malware. The findings point to familiar patterns and human behavior, downloading free tools, relying on untrusted sources, and disabling security protections.

Cracked Software Is Still #1

Cracked software was the most common infection vector, responsible for 28.3% of the cases. Users were seen attempting to download pirated versions of:

• Microsoft Office
• Adobe Photoshop
• Filmora
• MidJourney

These downloads often came from YouTube video tutorials, with links pointing to file-sharing sites like mega.nz, telegra.ph, or cutt.ly. Files were typically zipped, password-protected, and accompanied by instructions to disable antivirus.

Game Cheats and Mods as Lures

In 7.4% of infections, users were installing cheats or mods for games like Minecraft, Fortnite, Roblox, and Valorant. Common file names included “Galaxy Skin Swapper” and “Minecraft ModPack.” These were often shared via YouTube descriptions or unofficial modding forums.

Fake Ads and Sponsored Results

Another key infection method was malicious Google Ads. Campaigns like “Blitz Java” and “Zero MidJourney” used paid ads to promote fake download pages. For example, someone searching for “Java download” might click on a top ad linking to a fake site like java-gapp.space, which served malware inside a zip file disguised as an installer.

What the Screenshots Show

Users themselves enabled these infections. Screenshots showed people:

• Searching for cracked or free software
• Trusting the first result in search
• Disabling built-in protections
• Ignoring antivirus alerts
• Running unsigned executables

These behaviors — not software vulnerabilities — drove the infections.

Global Reach

The study found infections across systems in Italian, French, Portuguese, Hindi, Arabic, and more. These tactics worked across languages and regions, showing the global scale of user-driven malware infections.

How the LLM Helped

Instead of analyzing malware code or exhaustively combing through stealer logs, the study focused on visual artifacts — screenshots taken during infection. Flare used GPT-4o-mini to extract structured data from screenshots. The model reached:

• 96.2% accuracy in scene descriptions
• 100% accuracy in file identification
• 337 actionable malicious URLs
• 246 relevant malware-laced files

This method enabled scalable threat intelligence without needing access to logs or malware samples.

Three Notable Campaigns Identified

• Blitz Java — A high-speed weekend campaign using Google Ads to push fake Java installers. Infections occurred in under 24 hours.
• Zero MidJourney — Targeted users looking for free access to MidJourney, using fake download sites and antivirus bypass instructions.
• Snow Microsoft 2022 — A fake Microsoft Office 2022 crack distributed via YouTube and MEGA.nz, seen across 15+ languages.

Why These Attacks Keep Working

The infections didn’t rely on zero-days or complex exploits. They worked because of predictable human behaviors:

• People search for free software
• Trust top results and video instructions
• Ignore warnings and disable security tools
• Run untrusted executables despite warnings

The study shows that infostealer malware thrives not on technical breakthroughs —but on predictable user behavior

Reference:

LLM-Based Identification of Infostealer Infection Vectors from Screenshots: The Case of Aurora — https://arxiv.org/pdf/2507.23611