Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Every month, Twilight Cyber detects over 100,000 compromised endpoints infected by infostealers – small, stealthy pieces of malware designed to steal credentials, session cookies, and other sensitive data before vanishing without a trace.

And yet, most security leaders still feel confident in their EDR or XDR stack. After all, those tools are built to detect malicious behavior on endpoints. So how are these simple data theft tools continuing to bypass some of the most advanced detection systems on the market?

In this post, we break down how modern infostealers operate, why traditional defenses often miss them, and how you can close the gap with real-time breach detection from outside your network. Because by the time your EDR alerts you, it might already be too late.

Why EDR Struggles to Catch Infostealers in Time

From their first moment on the machine, many infostealers inject themselves directly into trusted applications (such as Chrome or Outlook), riding on legitimate network channels to extract data. Their footprint is tiny: a handful of files or even just memory-resident code, which means they often evade signature-based detection and heuristic rules.

And when they decide to strike, they move fast. Within minutes, they scoop up everything from saved passwords to session cookies, then encrypt or obfuscate the payload before exfiltration. By the time your EDR flags an odd memory read or a strange outbound connection, the data is already on its way to a hacker’s server.

In a previous post, we explained how infostealers bypass modern EDR/XDR systems in detail.

Compounding the problem, busy security operations centers are drowning in alerts. A subtle infostealer event may land near the bottom of a long queue, waiting for someone to triage. And if it occurs on a contractor’s personal laptop or a test VM without an EDR agent installed? Your view is completely dark.

In short, visibility ends the moment data leaves the endpoint, and reaction often lags behind execution. The consequence: stolen credentials flood dark web markets and become weapons long before you know you’ve been hit.

Twilight Cyber: The Missing Layer for Real-Time Breach Detection

So what’s the solution? If the weakness lies in EDR’s lack of external awareness and delayed detection, the answer is to add a layer of real-time external breach detection. This is exactly the gap that Twilight Cyber was created to fill. 

Think of it as an early-warning radar that operates outside your organization’s walls, constantly scanning for signs that one of your machines or credentials has been compromised – and doing so within hours of the breach.

How it works

In simple terms, Twilight Cyber monitors the places where stolen data inevitably surfaces. This includes dark web forums, criminal marketplaces, paste sites, and other corners of the internet where threat actors trade or leak data. 

The platform uses a network of proprietary sensors and integrations to continuously sweep these sources for any trace of your organization’s assets, whether it’s an employee’s username, a hashed password, an email domain, or even a specific machine identifier. The moment something is found, Twilight Cyber immediately raises the alarm in real time.

Actionable alerts

Our alerts aren’t just a vague “we found something” message. Twilight Cyber provides actionable detail that security teams can use on the spot. 

For example, a Twilight alert might tell you: “Credential for [employee name or ID] was just found in a breach log at 3:47 PM, likely originating from machine JohnDoe-PC via an infostealer (e.g., RedLine malware).” 

You’ll know:

• Which user/machine is compromised
• What malware was involved, and 

When it happened, all within hours of the initial infection.

This level of context is a game-changer. It means your team can immediately target the affected machine for remediation (isolate it, wipe malware, force password resets for that user’s accounts, etc.), long before an attacker tries to reuse those stolen credentials.

No endpoint installation

Another big advantage: no endpoint installation is required. 

Twilight Cyber operates completely externally, which means it doesn’t matter whether the compromised device was a managed corporate laptop with EDR, a personal home PC, or a partner’s server. In all cases, if that device’s data is floating around the dark web, Twilight’s system will catch it. 

This makes it an ideal safety net for BYOD and third-party scenarios – areas that traditional tools can’t cover. Essentially, Twilight Cyber acts as a virtual sensor network extending your visibility beyond the corporate perimeter.

Why EDR + Twilight Cyber Works

Combining your existing endpoint defenses with Twilight Cyber’s real-time breach detection creates a powerful one-two punch against infostealers (and other stealthy threats). Each solution covers the other’s weaknesses, resulting in a much more resilient security posture. 

Together, you cover both sides of the attack lifecycle: what happens before and after the breach.

Rethink Your Defensive Stack for the Modern Threat Landscape

The rise of infostealers has made one thing abundantly clear: relying on endpoint security alone is no longer enough. 

It’s time to ask yourself: “If an infostealer hit us tomorrow, would we know quickly enough to stop real damage?” If the honest answer is “I’m not sure” or “probably not until it’s too late,” then consider bolstering your defenses with an external breach detection layer like Twilight Cyber. 

By adding this missing piece, you’re turning on the lights in a room that was previously dark. You’ll know about compromises as they happen, not months afterward. You’ll be able to act decisively, cutting off attackers at the pass, before they use stolen data against you.

Ready to get started? Contact us today to schedule a FREE demo of the platform.

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Leave your email and get critical updates and alerts from Twilight Cyber straight to your inbox