The Rising Threat of Log-Based Cyberattacks

Posted on July 2, 2025

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

24,000 employee emails and names
500,000 Jira issues and summaries
5,000 internal documents
236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

469 employee credentials on Telefonica’s domain were compromised.
469 employee credentials on Telefonica’s domain were compromised.
469 employee credentials on Telefonica’s domain were compromised.
469 employee credentials on Telefonica’s domain were compromised.

The Rising Threat of Log-Based Cyberattacks

Credential Theft, Infostealers

Posted on July 2, 2025

Cybercriminals are not just hacking in. Increasingly, they’re simply logging in with stolen credentials and session data.

A surge in “log-based” cyberattacks is putting organizations at risk. These attacks revolve around infostealer “logs,” packages of stolen data siphoned from infected devices, that are bought and sold in a booming underground economy.

In this post, we’ll break down what these logs are, how they’re obtained and traded, the dangers they pose (from account takeovers to session hijacking), why they’re on the rise, and how security teams can fight back.

What Are Infostealer Logs?

Infostealer logs are bundled datasets of sensitive information harvested by infostealer malware. When an infostealer infects a device (often via phishing emails or malicious downloads), it quietly collects troves of data: saved login credentials, browser cookies and session tokens, autofill data, cryptocurrency wallet keys, system details, and more.

The malware then sends this data to the attacker’s server, where it’s compiled into an organized “stealer log”. Each log is essentially a one-stop data haul from a victim, neatly sorted and ready for exploitation

Unlike a simple password list, a single infostealer log provides a full digital profile of the victim. For example, a log might include:

email and banking passwords;
session cookies that keep the user logged in;
authentication tokens;
browser fingerprint data (like IP address, OS, and user-agent);
even crypto wallet secrets

How Logs Are Collected and Sold

Infostealer malware has made credential theft industrialized. Once it slips onto a victim’s machine (through a clicked phishing link, a fake software crack, etc.), it can exfiltrate data in seconds and then self-destruct or stay hidden.

Twilight Cyber has covered the most popular infostealers in detail, including an emerging strain called Rhadamanthys. For more information, please read our full post:

All the passwords, cookies, and system info the infostealer captures are packaged into a log file. From there, cybercriminals upload these logs to marketplaces on the dark web or hacker forums to monetize them.

A single active session cookie or credential in a log can let attackers slip into an account without raising alarms. On underground markets, stolen logs are big business.

Where Are the Logs Sold?

A June 2025 analysis by BleepingComputer highlighted that “Russian Market” remains the go-to marketplace for logs, with prices as low as $2 per log.

These sites have slick interfaces and search functions, letting buyers easily find logs by company domain, application, or keywords like “VPN” or “bank”.

Some platforms even allow pre-ordering logs for specific organizations or accounts (for a price), essentially letting attackers shop for victims on demand.

Initial Access Brokers bulk-buy logs from malware operators and then resell them to other threat actors. The result is an efficient pipeline: a single infostealer infection on someone’s PC in the morning can lead to their company’s network being accessed by an attacker by the afternoon.

It’s a thriving underground economy and it’s lowering the barrier to entry for cybercrime, since even less-skilled attackers can simply purchase ready-made access rather than develop exploits.

From Logs to Full-Blown Attacks

Once acquired, these infostealer logs offer everything a cybercriminal needs to impersonate victims and penetrate organizations. Here are the most pressing risks that arise from log-based attacks:

Account Takeovers (ATO)

Stolen credentials allow attackers to directly log in to user accounts, from personal email and social media to corporate VPNs and cloud services.

With valid usernames and passwords (or session tokens), hackers can impersonate employees or customers, often escalating their access through single sign-on links or reused passwords. A single compromised account can unlock email systems, internal tools, and other sensitive systems, potentially leading to data breaches or even the deployment of ransomware.

Even one set of stolen credentials from a log can snowball into a full organizational compromise if the attacker moves laterally.

Twilight Cyber stops account takeovers before they start by detecting stolen credentials and session tokens within hours, then instantly blocks risky logins, resets passwords, and enforces MFA.

Session Hijacking

Many logs contain browser session cookies (those little files that keep you logged into websites).

If attackers snatch an active session token, they can hijack your session and access the account without needing a password or 2FA

In other words, they ride in on your already-authenticated session. This is especially dangerous because it bypasses multi-factor authentication protections as the website thinks the legitimate user is still active.

The FBI warned in late 2024 that criminals were actively stealing “Remember Me” login cookies to silently evade MFA and take over accounts

Why Log-Based Attacks Are Becoming More Common and Effective

There are several factors that have led to an uptick in log-based cyberattacks.

The main factor is the commercialization of infostealer malware. With Malware-as-a-Service, infostealers are now cheap, accessible, and widespread. Cybercriminal forums are flooded with offerings of ready-made stealer malware subscriptions and DIY kits.

This means more attackers deploying infostealers than ever before. In fact, IBM observed an 84% year-over-year increase in phishing emails delivering infostealers recently, as threat actors realize how easily these tools yield valuable credentials. The result is a flood of stolen data feeding the underground markets.

Source: IBM

Another factor is the shift toward cookie-based authentication and cloud services. As more organizations adopt browser-based SaaS platforms, the value of session tokens has skyrocketed. Attackers no longer need to crack passwords or bypass MFA. A single valid session cookie can grant full access to business-critical tools like Microsoft 365, Slack, Jira, or Salesforce.

At the same time, many organizations lack visibility into this kind of credential exposure. Traditional security tools might detect brute-force attempts or malware infections, but they often miss the quiet danger of a stolen session token being used from a new location or device.

Defend Against Log-Based Threats with Twilight

That’s exactly the kind of visibility Twilight Cyber brings.

Our platform monitors dark web marketplaces, Telegram channels, and private infostealer dumps to identify stolen credentials and session cookies linked to your domain. Once detected, we alert your team in real time, way before the data is used maliciously.

From there, we help you act fast: resetting passwords, revoking session tokens, enforcing step-up authentication, and alerting affected users.

Contact us today and we will demonstrate the value of early threat detection.

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

24,000 employee emails and names
500,000 Jira issues and summaries
5,000 internal documents
236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access