Short answer

An infostealer log is a structured package of data stolen from a single infected device. It contains everything the malware could extract: active session cookies, saved passwords, browser history, autofill data, and sometimes local files. Unlike leaked password databases, these logs contain live stolen sessions, not just static credentials. Logs are sold on criminal marketplaces, often within hours of the infection.

What a log contains

A typical infostealer log includes:

• Credentials: usernames and passwords saved in browsers and password managers.

• Session tokens and cookies: active authentication tokens that allow access to accounts without needing a password or MFA.

• Browser data: browsing history, autofill data (names, addresses, payment details), and bookmarks.

• System information: operating system, hostname, IP address, installed software, and hardware identifiers.

• Local files: some stealers grab documents, cryptocurrency wallets, or configuration files from specific paths.

A single log can contain credentials for dozens, sometimes hundreds, of services, from corporate applications to personal accounts.

How logs are structured

Most infostealer logs follow a predictable folder structure. The top level typically contains the system information (IP, OS, hostname), followed by subfolders per browser with extracted passwords, cookies, and autofill data. Some variants also include a screenshot taken at the moment of infection.

This structure makes logs easy to parse and search, which is exactly why criminal marketplaces can offer search-by-domain functionality. An attacker looking for access to a specific company can search for its domain and instantly find relevant logs.

How logs end up on criminal marketplaces

After an infostealer infects a device, the stolen data is automatically uploaded to the operator's infrastructure. From there, logs are listed for sale on criminal marketplaces (dark web forums, Telegram, and Discord), often within hours of the infection. Prices vary based on the value of the access: logs containing active corporate sessions, banking access, or VPN credentials sell for significantly more than personal accounts.

Why logs matter for organizations

A single log from one infected employee device can expose active sessions, VPN credentials, email access, and cloud platform tokens. Because session tokens bypass most software-based MFA, attackers do not need to crack passwords. They import the stolen session cookie and walk straight in.

This is why monitoring for your organization's domains in stealer logs is critical. Passguard monitors the criminal marketplaces where these logs are traded and alerts your security team the moment stolen sessions linked to your systems appear. Want to know if your company is already exposed? Run a free scan at passguard.com.