Enterprise APIs
Dark Web API
Data Categories
Malware Infections

Malware Infections (Infostealers)

Overview

Malware infection data comes from information-stealing malware (infostealers) that capture sensitive data from infected devices and transmit it to threat actors. This data offers unique insights into compromised credentials, cookies, system information, and leaked secrets that may not appear in traditional database breaches.

Characteristics

  • Origin: Data captured by malware from infected user devices.
  • Freshness: Often more recent than database breaches, representing active compromise.
  • Comprehensiveness: Can include data from multiple services accessed on the infected device, system details, and potentially sensitive files or source code.
  • Context: May include system information and behavioral data in addition to credentials and secrets.

Infostealer Types

Our system monitors data from 30+ different infostealer types, including:

  • RedLine
  • Meta
  • LummaC2
  • Vidar
  • Azorult
  • Raccoon
  • Cryptbot
  • And many more

Data Categories from Malware

Infostealers typically collect multiple types of sensitive information from infected devices:

Credentials

Stolen login information including:

  • Source application (browser or email client)
  • Website or service URL
  • Username/email
  • Plaintext password

Cookies

Browser cookies that can enable session hijacking:

  • Source browser
  • Website domain
  • Expiry details
  • Cookie values

Leaked Secrets

Hardcoded secrets found within files, configuration, or environment variables on the infected machine. These are often critical for accessing services and infrastructure:

  • Detection: We utilize specialized tools like Gitleaks, configured with a comprehensive set of rules, to scan files collected by infostealers. These rules are designed to identify patterns characteristic of various secret types.
  • Validation: Potential secrets undergo validation steps to reduce false positives and confirm the likelihood of a valid secret.
  • Types Detected: Common examples include API Keys & Tokens (AWS, GCP, Azure, GitHub, Slack, Stripe, Twilio, etc.), Private Keys (SSH, PGP), Database Credentials, Service Account Tokens (e.g., GCP, Vault), OAuth Tokens, and Configuration Secrets (e.g., Kubernetes secrets in YAML).

Examples of Detected Secret Types

The following table provides examples of the kinds of secrets our system can detect within malware logs. This list covers the majority of detectable types based on our configured rules but may not be exhaustive.

Secret Type (Rule ID)DescriptionExample Format
1password-service-account-token1Password service account tokenops_eyJ...<250+ chars>...
adafruit-api-keyAdafruit API Keyaio_********************************
adobe-client-idAdobe OAuth Web Client ID******************************** (32 hex chars)
adobe-client-secretAdobe Client Secretp8e-********************************
age-secret-keyAge encryption tool secret keyAGE-SECRET-KEY-1**********************************************************
airtable-api-keyAirtable API Keykey***************** (17 chars)
algolia-api-keyAlgolia API Key******************************** (32 chars)
alibaba-access-key-idAlibaba Cloud AccessKey IDLTAI********************
alibaba-secret-keyAlibaba Cloud Secret Key****************************** (30 chars)
asana-client-idAsana Client ID**************** (16 digits)
asana-client-secretAsana Client Secret******************************** (32 chars)
atlassian-api-tokenAtlassian API token (Jira, Confluence)************************ or ATATT3****************...
authress-service-client-access-keyAuthress Service Client Access Keysc_*.{key_id}.acc-{tenant_id}.{signing_key}
aws-access-tokenAWS Access Key IDAKIA**************** or ASIA**************** etc.
aws-secret-keyAWS Secret Key**************************************** (40 hex chars)
azure-ad-client-secretAzure AD Client Secret***dQ~**********************************
beamer-api-tokenBeamer API tokenb_********************************************
bitbucket-client-idBitbucket Client ID******************************** (32 chars)
bitbucket-client-secretBitbucket Client Secret**************************************************************** (64 chars)
bittrex-access-keyBittrex Access Key******************************** (32 chars)
bittrex-secret-keyBittrex Secret Key******************************** (32 chars)
cisco-meraki-api-keyCisco Meraki API Key**************************************** (40 hex chars)
clojars-api-tokenClojars API tokenCLOJARS_************************************************************
cloudflare-api-keyCloudflare API Key**************************************** (40 chars)
cloudflare-global-api-keyCloudflare Global API Key************************************* (37 hex chars)
cloudflare-origin-ca-keyCloudflare Origin CA Keyv1.0-************************-****************... (146 hex chars)
codecov-access-tokenCodecov Access Token******************************** (32 chars)
cohere-api-tokenCohere API Token**************************************** (40 chars)
coinbase-access-tokenCoinbase Access Token**************************************************************** (64 chars)
confluent-access-tokenConfluent Access Token**************** (16 chars)
confluent-secret-keyConfluent Secret Key**************************************************************** (64 chars)
contentful-delivery-api-tokenContentful delivery API token******************************************* (43 chars)
databricks-api-tokenDatabricks API tokendapi********************************
datadog-access-tokenDatadog API Key**************************************** (40 chars)
defined-networking-api-tokenDefined Networking API tokendnkey-**************************-****************************************************
digitalocean-access-tokenDigitalOcean OAuth Access Tokendoo_v1_****************************************************************
digitalocean-patDigitalOcean Personal Access Tokendop_v1_****************************************************************
digitalocean-refresh-tokenDigitalOcean OAuth Refresh Tokendor_v1_****************************************************************
discord-api-tokenDiscord API Key**************************************************************** (64 hex chars)
discord-client-idDiscord client ID****************** (18 digits)
discord-client-secretDiscord client secret******************************** (32 chars)
doppler-api-tokenDoppler API tokendp.pt.*******************************************
droneci-access-tokenDroneci Access Token******************************** (32 chars)
dropbox-api-tokenDropbox API secret*************** (15 chars)
dropbox-long-lived-api-tokenDropbox long-lived API token***********AAAAAAAAAA*******************************************
dropbox-short-lived-api-tokenDropbox short-lived API tokensl.***************************************************************************************************************************************
duffel-api-tokenDuffel API tokenduffel_test_*******************************************
dynatrace-api-tokenDynatrace API tokendt0c01.************************.****************************************************************
easypost-api-tokenEasyPost API tokenEZAK******************************************************
easypost-test-api-tokenEasyPost test API tokenEZTK******************************************************
etsy-access-tokenEtsy Access Token************************ (24 chars)
facebook-access-tokenFacebook Access Token (Legacy)`***************
facebook-page-access-tokenFacebook Page Access TokenEAA************************************************************************************************************************
facebook-secretFacebook Application secret******************************** (32 hex chars)
fastly-api-tokenFastly API key******************************** (32 chars)
finicity-api-tokenFinicity API token******************************** (32 hex chars)
finicity-client-secretFinicity Client Secret******************** (20 chars)
finnhub-access-tokenFinnhub Access Token******************** (20 chars)
flickr-access-tokenFlickr Access Token******************************** (32 chars)
flutterwave-encryption-keyFlutterwave Encryption Key (Test)FLWSECK_TEST-************
flutterwave-public-keyFlutterwave Public Key (Test)FLWPUBK_TEST-********************************-X
flutterwave-secret-keyFlutterwave Secret Key (Test)FLWSECK_TEST-********************************-X
flyio-access-tokenFly.io API keyfo1_******************************************* or fm1*_...
frameio-api-tokenFrame.io API tokenfio-u-****************************************************************
freemius-secret-keyFreemius secret key (in PHP context)sk_*****************************
freshbooks-access-tokenFreshbooks Access Token**************************************************************** (64 chars)
gcp-api-keyGoogle Cloud Platform API KeyAIza***********************************
gcp-service-account-jsonGCP Service Account JSON{"private_key": "***", "private_key_id": "***", "project_id": "***", "token_url": "***", "client_email": "***", "client_id": "***", "client_x509_cert_url": "***"
github-app-tokenGitHub App Tokenghu_************************************ or ghs_...
github-fine-grained-patGitHub Fine-Grained Personal Access Tokengithub_pat_**********************************************************************************
github-oauthGitHub OAuth Access Tokengho_************************************
github-patGitHub Personal Access Token (Classic)ghp_************************************
github-refresh-tokenGitHub Refresh Tokenghr_************************************
gitlab-cicd-job-tokenGitLab CI/CD Job Tokenglcbt-*****_********************
gitlab-deploy-tokenGitLab Deploy Tokengldt-********************
gitlab-feature-flag-client-tokenGitLab feature flag client tokenglffct-********************
gitlab-feed-tokenGitLab feed tokenglft-********************
gitlab-kubernetes-agent-tokenGitLab Kubernetes Agent tokenglagent-**************************************************
gitlab-oauth-app-secretGitLab OIDC Application Secretgloas-****************************************************************
gitlab-patGitLab Personal Access Tokenglpat-********************
gitlab-pat-routableGitLab Personal Access Token (routable)glpat-***************************.**...
gitlab-pttGitLab Pipeline Trigger Tokenglptt-****************************************
gitlab-rrtGitLab Runner Registration TokenGR1348941********************
gitlab-runner-authentication-tokenGitLab Runner Authentication Tokenglrt-********************
gitlab-scim-tokenGitLab SCIM Tokenglsoat-********************
gitlab-session-cookieGitLab Session Cookie_gitlab_session=********************************
gitter-access-tokenGitter Access Token**************************************** (40 chars)
gocardless-api-tokenGoCardless API tokenlive_****************************************
grafana-api-keyGrafana API keyeyJrIjoi...<70-400 chars>...
grafana-cloud-api-tokenGrafana cloud API tokenglc_...<32-400 chars>...
grafana-service-account-tokenGrafana service account tokenglsa_********************************_********
harness-api-keyHarness Access Token (PAT or SAT)pat.**********************.************************.********************
hashicorp-tf-api-tokenHashiCorp Terraform user/org API token**************.atlasv1.************************************************************
heroku-api-keyHeroku Platform API Key********-****-****-****-************
hubspot-api-keyHubSpot API Token********-****-****-****-************
huggingface-access-tokenHugging Face Access tokenhf_**********************************
huggingface-organization-api-tokenHugging Face Organization API tokenapi_org_**********************************
infracost-api-tokenInfracost API Tokenico-********************************
intercom-api-keyIntercom API Token************************************************************ (60 chars)
intra42-client-secretIntra42 client secrets-s4t2ud-****************************************************************
jfrog-api-keyJFrog API Key************************************************************************* (73 chars)
jfrog-identity-tokenJFrog Identity Token**************************************************************** (64 chars)
kraken-access-tokenKraken Access Token...<80-90 chars>...
kucoin-access-tokenKucoin Access Token************************ (24 hex chars)
kucoin-secret-keyKucoin Secret Key********-****-****-****-************
launchdarkly-access-tokenLaunchdarkly Access Token**************************************** (40 chars)
linear-api-keyLinear API Tokenlin_api_****************************************
linear-client-secretLinear Client Secret******************************** (32 hex chars)
linkedin-client-idLinkedIn Client ID************** (14 chars)
linkedin-client-secretLinkedIn Client secret**************** (16 chars)
lob-api-keyLob API Key (Live or Test)live_***********************************
lob-pub-api-keyLob Publishable API Key (Live or Test)live_pub_*******************************
mailchimp-api-keyMailchimp API key********************************-us**
mailgun-private-api-tokenMailgun private API tokenkey-********************************
mailgun-pub-keyMailgun public validation keypubkey-********************************
mailgun-signing-keyMailgun webhook signing key********************************-********-********
mapbox-api-tokenMapBox API tokenpk.************************************************************.**********************
mattermost-access-tokenMattermost Access Token************************** (26 chars)
maxmind-license-keyMaxMind license key******_*****************************_mmk
messagebird-api-tokenMessageBird API token************************* (25 chars)
messagebird-client-idMessageBird client ID********-****-****-****-************
microsoft-teams-webhookMicrosoft Teams Webhook URLhttps://*.webhook.office.com/webhookb2/.../IncomingWebhook/...
netlify-access-tokenNetlify Access Token...<40-46 chars>...
new-relic-browser-api-tokenNew Relic ingest browser API tokenNRJS-*******************
new-relic-insert-keyNew Relic insight insert keyNRII-********************************
new-relic-user-api-idNew Relic user API ID**************************************************************** (64 chars)
new-relic-user-api-keyNew Relic user API KeyNRAK-***************************
npm-access-tokennpm access tokennpm_************************************
nytimes-access-tokenNytimes Access Token******************************** (32 chars)
octopus-deploy-api-keyOctopus Deploy API keyAPI-**************************
okta-access-tokenOkta Access Token00****************************************
openai-api-keyOpenAI API Keysk-************************************************ or sk-proj-...
openshift-user-tokenOpenShift user tokensha256~*******************************************
perplexity-api-keyPerplexity API keypplx-************************************************
plaid-api-tokenPlaid API Tokenaccess-production-********-****-****-****-************
plaid-client-idPlaid Client ID************************ (24 chars)
plaid-secret-keyPlaid Secret key****************************** (30 chars)
planetscale-api-tokenPlanetScale API tokenpscale_tkn_...<32-64 chars>...
planetscale-oauth-tokenPlanetScale OAuth tokenpscale_oauth_...<32-64 chars>...
planetscale-passwordPlanetScale passwordpscale_pw_...<32-64 chars>...
postman-api-tokenPostman API tokenPMAK-************************-**********************************
prefect-api-tokenPrefect API tokenpnu_************************************
private-keyGeneric Private Key-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----
privateai-api-tokenPrivateAI API Token******************************** (32 chars)
pulumi-api-tokenPulumi API tokenpul-****************************************
pypi-upload-tokenPyPI upload tokenpypi-AgEIcHlwaS5vcmc...<50-1000 chars>...
rapidapi-access-tokenRapidAPI Access Token************************************************** (50 chars)
readme-api-tokenReadme API tokenrdme_**********************************************************************
rubygems-api-tokenRubygem API tokenrubygems_************************************************
scalingo-api-tokenScalingo API tokentk-us-************************************************
sendbird-access-idSendbird Access ID********-****-****-****-************
sendbird-access-tokenSendbird Access Token**************************************** (40 hex chars)
sendgrid-api-tokenSendGrid API tokenSG.******************************************************************.**********************
sendinblue-api-tokenSendinblue API tokenxkeysib-****************************************************************-****************
sentry-access-tokenSentry.io Access Token (old format)**************************************************************** (64 hex chars)
sentry-org-tokenSentry.io Organization Tokensntrys_eyJpYXQiO...LCJyZWdpb25fdXJs..._*******************************************
sentry-user-tokenSentry.io User Tokensntryu_****************************************************************
settlemint-application-access-tokenSettlemint Application Access Tokensm_aat_****************
settlemint-personal-access-tokenSettlemint Personal Access Tokensm_pat_****************
settlemint-service-access-tokenSettlemint Service Access Tokensm_sat_****************
shippo-api-tokenShippo API token (Live or Test)shippo_live_****************************************
shopify-access-tokenShopify Admin API Access Tokenshpat_********************************
shopify-custom-access-tokenShopify custom access tokenshpca_********************************
shopify-private-app-access-tokenShopify private app access tokenshppa_********************************
shopify-shared-secretShopify shared secretshpss_********************************
sidekiq-secretSidekiq Secret (Enterprise/Gems Bundle Auth)********:******** (hex:hex)
slack-app-tokenSlack App-level tokenxapp-*-***********-***********-**********************************************************************************************************************************
slack-bot-tokenSlack Bot tokenxoxb-***********-***********-************************
slack-config-access-tokenSlack Configuration access tokenxoxe.xox*-*-*********************************************************************************************************************************************************
slack-config-refresh-tokenSlack Configuration refresh tokenxoxe-*-**********************************************************************************************************************************************************
slack-legacy-bot-tokenSlack Legacy bot tokenxoxb-********-**********************
slack-legacy-tokenSlack Legacy token (Test)xox*-*********-*********-*********-********************************
slack-legacy-workspace-tokenSlack Legacy Workspace tokenxox*-*********-****************************************
slack-user-tokenSlack User tokenxox*-***********-***********-***********-******************************
snyk-api-tokenSnyk API token********-****-****-****-************
sonar-api-tokenSonarQube/SonarCloud API token**************************************** (40 chars)
sourcegraph-access-tokenSourcegraph access tokensgp_****************_****************************************
square-access-tokenSquare Access TokenEAAA********************** or sq0atp-**********************
squarespace-access-tokenSquarespace Access Token********-****-****-****-************
stripe-access-tokenStripe API Key (Secret or Restricted)sk_live_************************ or rk_test_...
sumologic-access-idSumoLogic Access IDsu************
sumologic-access-tokenSumoLogic Access Token**************************************************************** (64 chars)
telegram-bot-api-tokenTelegram Bot API Token************:**********************************
travisci-access-tokenTravis CI Access Token********************** (22 chars)
twilio-api-keyTwilio API Key SIDSK********************************
twitch-api-tokenTwitch API token****************************** (30 chars)
twitter-access-secretTwitter Access Secret********************************************* (45 chars)
twitter-access-tokenTwitter Access Token***************-******************************
twitter-api-keyTwitter API Key (Consumer Key)************************* (25 chars)
twitter-api-secretTwitter API Secret (Consumer Secret)************************************************** (50 chars)
twitter-bearer-tokenTwitter Bearer TokenAAAAAAAAAAAAAAAAAAAAA...<80-100 chars>...
typeform-api-tokenTypeform API tokentfp_***********************************************************
vault-batch-tokenHashiCorp Vault Batch Tokenhvb....<138-300 chars>...
vault-service-tokenHashiCorp Vault Service Tokenhvs....<90-120 chars>... or s.************************
yandex-access-tokenYandex Access Tokent1.*****************************************************.**************************************************************************************
yandex-api-keyYandex API KeyAQVN***********************************
yandex-aws-access-tokenYandex AWS Access TokenYC**************************************
zendesk-secret-keyZendesk Secret Key**************************************** (40 chars)

System Information

Details about the infected device:

  • OS version
  • IP address
  • Hardware information (HWID, Machine ID)
  • System language and settings

User Information

Personal details of the victim:

  • Device Username
  • Full name (if available)
  • Location (derived from IP)

Stolen Files

Documents, source code, configuration files, and other sensitive files exfiltrated from the device:

  • Personal documents
  • Financial records
  • Business information
  • Source code repositories
  • Configuration files (.env, .aws/credentials, etc.)

Data Example

Below is an example of what malware infection data might look like, potentially including credentials, cookies, and detected secrets:

Malware infection example (Note: The example image might not explicitly show leaked secrets, but they are a potential component of malware logs)

Security Implications

Malware infection data presents unique and severe threats:

  • Immediate Risk: Credentials and cookies are often current and immediately usable for account takeover.
  • Session Hijacking: Stolen cookies can allow account access without credentials, bypassing MFA.
  • Multiple Service Exposure: A single infection can compromise dozens of services used by one individual.
  • Corporate Network Access: Infected employee devices may expose enterprise credentials, VPN keys, or internal service tokens.
  • Infrastructure Compromise: Leaked secrets (API keys, private keys, service tokens) found in files can grant attackers direct access to cloud environments, databases, code repositories, and other critical infrastructure, potentially leading to widespread breaches or system manipulation.
  • Source Code Exposure: Stolen source code can reveal proprietary algorithms or further vulnerabilities.

API Access Methods

The NordStellar Dark Web API provides multiple ways to access malware infection information, including detected secrets:

Direct Lookups

  • Query for specific email addresses using the /email/{email-sha256}/malware-logs endpoint.
  • Query for specific phone numbers using the /phone/{phone-sha256}/malware-logs endpoint.
  • Get detailed malware log information, including the secret array containing detected secret types and values, using the /data-source/malware-log/{id} endpoint.

Bulk Operations

  • Check multiple email addresses in a single request using the /email/malware-logs (POST) endpoint.
  • Retrieve information about multiple malware logs using the /data-source/malware-log (POST) endpoint.

Specialized Queries

  • Search for credentials associated with specific URLs using the /data-source/malware-log/credentials/url/{credentials_url}/id endpoint.
  • Retrieve specific credential details using the /data-source/malware-log/{id}/credentials/url/{credentials_url} endpoint.

(Note: While secrets are returned within the main malware log data, specific endpoints solely for secret lookups might not exist; they are part of the overall log data.)

Use Cases

Account Protection

  • Identify and lock down compromised user accounts based on stolen credentials.
  • Force password resets for affected services.
  • Invalidate stolen browser cookies to prevent session hijacking.

Infrastructure Security & Secret Management

  • Detect Exposed Secrets: Monitor malware logs for leaked API keys, tokens, or private keys related to your corporate infrastructure (e.g., AWS keys, GitHub tokens found on developer machines).
  • Rapid Revocation: Immediately revoke compromised secrets identified in malware logs to prevent unauthorized access.
  • Improve Secret Hygiene: Use findings as indicators of poor secret management practices (e.g., hardcoding secrets in source code found on infected devices).

Threat Intelligence

  • Gain insights into active malware campaigns targeting specific services or user groups.
  • Identify targeted organizations and the types of credentials or secrets attackers are harvesting.
  • Understand the capabilities and targets of different infostealer variants.

Incident Response

  • Determine the scope of a malware infection by identifying all affected accounts, services, and potentially exposed secrets.
  • Assess the potential damage from stolen credentials, cookies, and secrets.
  • Prioritize remediation based on the sensitivity of exposed data and secrets.

Corporate Security

  • Monitor for corporate credential and secret exposure from employee device infections.
  • Identify infected devices that may have access to corporate resources or codebases containing secrets.
  • Detect breached VPN, cloud service, internal system credentials, or API keys.

By leveraging malware infection data, including the critical aspect of leaked secrets, through the NordStellar Dark Web API, organizations can rapidly respond to active threats, protect user accounts and infrastructure, and gain valuable intelligence about the evolving threat landscape.

API ReferenceBreached Databases
NordStellar © 2026Privacy Policy