Beyond The Gates: An Empirical Analysis of HTTP-Managed Password Stealers and Operators

Password Stealers (Stealers) are commodity malware specializing in credential theft. This work presents a large-scale longitudinal study of Stealers and their operators. Using a commercial dataset, we characterize the activity of over 4; 586 distinct Stealer operators through their devices spanning ten different Stealer families. Operators heavily use proxies, including traditional VPNs, residential proxies, mobile proxies, and the Tor network, when managing their botnet. Our affiliation analysis unveils a stratified enterprise of cybercriminals for each service offering, and we identify privileged operators using graph analysis. We find several Stealer-as-a-Service providers that lower the economic and technical barrier for many cybercriminals. We estimate that service providers benefit from high-profit margins (up to 98%) and a lower-bound profit estimate of $11; 000 per month. We find high-profile targeting like the Social Security Administration, the U.S. House of Representatives, and the U.S. Senate. We share our findings with law enforcement and publish six months of the dataset, analysis artifact, and code.