Meet Foresiet Nexus — Your smarter Threat Intel hub. See it in action — book a free demo today!

Weekly newsletter

No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.

Read about our privacy policy.

Latest from the blog

Inside the Mind of a Stealer Log Aggregator: An Interview with MoonCloud

Posted on: 4 August 2025 | Author: Foresiet

Introduction

In today’s threat landscape, the market for stealer logs—collections of credentials, browser data, and session cookies harvested through infostealers—continues to evolve. While many threat actors have come and gone, others have adapted and built significant operations around data resale, log aggregation, and credential-based exploitation.

We spoke directly with MoonCloud, one of the more active stealer log aggregators operating in 2025. Known for consistently sharing large credential dumps and combo lists, MoonCloud offered insight into the supply chain, pricing models, verification practices, and his vision within the cybercriminal economy.

What is an Infostealer?

An infostealer is a type of malware specifically designed to extract sensitive information from infected systems. Unlike ransomware or Trojans, infostealers operate silently and aim to exfiltrate valuable data, which is then sold or distributed on the dark web or Telegram.

How Infostealers Work?

Infostealers usually infect victims through:

  • Malicious attachments or links in phishing emails
  • Cracked software and fake installers
  • Exploit kits delivered via drive-by downloads

Once executed, the stealer collects:

  • Saved browser credentials (Chrome, Firefox, Edge)
  • Session cookies and tokens (used to hijack accounts)
  • Desktop files, screenshots, and clipboard contents
  • Cryptocurrency wallets and 2FA backups

This data is exfiltrated to a Command & Control (C2) server, then either privately stored by threat actors or shared via Telegram aggregators like MoonCloud.

Infostealers

Below are some commonly used infostealer families observed in Telegram log channels:

Stealer NameOriginFeatures
RedLineRussiaWidely used, targets browsers and crypto wallets
RaccoonRussia/UkraineKnown for user-friendly panels, fast harvesting
LummaC2RussiaModular payloads, sells logs on monthly plans
VidarEuropeStealth-focused, browser and FTP credential theft
MetaStealerUnknownTargets macOS users and corporate data

MoonCloud’s Role in the Infostealer Ecosystem

MoonCloud acts as a data broker in this ecosystem, bridging malware operators and cybercriminals looking to:

  • Buy valid credentials for phishing or fraud
  • Access corporate sessions without triggering MFA
  • Sell compromised business accounts on darknet forums

MoonCloud’s presence reinforces the Telegram-as-a-service trend, where cybercrime tools and their outcomes are distributed in semi-public channels without traditional forums or markets.

The Interview

Question1: Can you briefly describe how you source the stealer logs you sell or share?

MoonCloud: “Go next.”

Moon Cloud question 1 screenshot
Figure 1: (Refused to answer this question.)

MoonCloud chose to skip this question a common tactic when sources are sensitive or could compromise operational security. This avoidance itself suggests that log sourcing may involve gray or illicit acquisition routes, possibly including private malware panels, Telegram channels, or direct collaboration with botnet operators.

Question2: What stealer malware do you mostly see being used right now?

MoonCloud:

“Now only Lumma is alive on the market. The other two you listed were seized by the authorities… The traffic and flow of logs have fallen very much and significantly fell in the market.”

moon cloud question 2 screenshot
Figure 2: Malware activity overview

LummaStealer appears to dominate after recent law enforcement actions took down rivals like RedLine and Raccoon. This reflects how stealer markets are sensitive to takedowns, and how centralized some operations have become around a few key tools.

Question3: How often do you refresh your combos or logs? Are they mostly fresh, or mixed with older datasets?

MoonCloud:

“The logs are fresh. ULP-bases are both fresh and old (for private requests).”

moon cloud question 3 screenshot
Figure 3: Freshness of log supply

Fresh logs are emphasized for public buyers, while private buyers may get customized mixes. This tiered access system shows how log freshness correlates with market value, with premium clients often receiving higher-quality data.

Question4: How do you organize your data? Are logs sorted by country, domain, or type (banking, crypto, etc.)?

MoonCloud:

“In general, when selling logs, we do not sort them. But the name of each log (each folder) indicates the geo at the beginning. Therefore, if someone needs to sort them, it will be a problem.”

moon cloud question 4 screenshot
Figure 4: Log structuring practices

Lack of structured indexing reveals a weakness in the underground’s data handling. Buyers are expected to parse logs manually, often using custom tooling — which adds friction but also deters law enforcement or non-technical actors.

Question5: How is pricing decided in your market? Do logs from certain countries or platforms cost more?

MoonCloud:

“Usually EU and US logs are more expensive than Asian ones. Such as India, Pakistan and other Asian countries are worth almost nothing.”

moon cloud question 5 screenshot
Figure 5: Regional price tiers

This reflects market bias based on spending power and breach impact. Logs from high-GDP countries are more valuable due to their potential for financial exploitation, while accounts from lower-income regions are often underpriced or discarded entirely.

Question6: Do you check the quality or validity of logs before sharing or selling them? If yes, how do you verify them?

MoonCloud:

“In general we do not take anything from the logs we sell. Sometimes there may be test checks of logs. This is done through special checkers. Such as Paranoid Checker or Simple Checker.”

moon cloud question 6 screenshot
Figure 6: Log validation tools

Verification tools like Paranoid and Simple Checker are commonly used to validate credentials before resale. While not always applied, these checks are critical to avoid reputation damage from low-quality dumps, especially in private deals.

Question7: What platforms or services appear most frequently in your logs (e.g. PayPal, Binance, Office365)?

MoonCloud:

“All.”

(A minimal but expected answer, suggesting that logs touch a wide variety of services from financial to SaaS.)

moon cloud question 7 screenshot
Figure 7: Targeted platforms

Though vague, this reflects the broad infection landscape of stealers — from finance (PayPal, Binance) to cloud platforms (Google, Microsoft), every credential type is harvested indiscriminately, depending on the infected user’s browsing behavior.

Question8: How do you see your role in the underground ecosystem — just a supplier, or more than that?

MoonCloud:

“So far, our channel is positioned as one of the large log aggregators. But I would like something more.”

Figure 8: Self-assessed role in ecosystem

MoonCloud hints at ambitions beyond simple resale, possibly aiming to become a broker, panel operator, or malware dev. This shows how some actors treat the stealer economy as a long-term enterprise, not a side hustle.

Question9: What drives you to keep doing this — financial gain, reputation, challenge, or something else?

MoonCloud:

“Initially, it was a financial benefit, then we realized that people like our material, they get paid from it and we are pleased with it. We are pleased that they leave feedback to us and stay with us for several years. We have something to strive for.”

moon cloud question 9 screenshot
Figure 9: Operator motivation

This answer mixes ego, community, and profit — revealing the emotional reward in cybercrime culture. Long-term recognition, not just money, appears to sustain MoonCloud’s presence in the log ecosystem.

Question10: Do you think Telegram will remain the main channel for stealer log trade, or will things move to private forums or new platforms?

MoonCloud:

“It’s hard to say, to be honest, I wouldn’t want to go somewhere, but most likely I’ll have to do it. It’s a matter of time. Judging by the recent actions of Telegram.”

moon cloud question 10 screenshot
Figure 10: Future of stealer log distribution

Concerns about Telegram’s future show a growing anxiety in the underground. If channels begin disappearing or are reported more aggressively, migration to private forums or decentralized messaging platforms is likely.

Closing Thoughts

This interview provides a small but sharp window into how data from malware-based credential theft is managed, packaged, and monetized. MoonCloud’s responses suggest that despite widespread disruption efforts, the stealer log market remains active—particularly through actors who focus on aggregation and resale.

As stealer malware evolves and enforcement tightens, operations like MoonCloud will likely adapt and continue supplying credential-based access to a global black market of buyers.

About us!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.

The breach affected numerous organizations, exposing detailed information about employees. Here’s an overview of some impacted companies and their estimated record counts:

  • Amazon: 2,861,111 records
  • UBS: 20,462 records
  • Delta Airlines: 57,317 records
  • McDonald’s: 3,295 records
  • 3M: 48,630 records
  • Lenovo: 45,522 records
  • HP: 104,119 records
  • TIAA: 2,464,625 records, plus an additional 23,857 records
  • Applied Materials: 53,170 records
  • CalSTRS: 422,311 records
  • City National Bank (CNB): 9,358 records
  • British Telecom (BT): 15,347 records
  • Firmenich: 13,248 records
  • Rush University: 15,853 records
  • URBN (Urban Outfitters): 17,553 records
  • Westinghouse: 18,193 records
  • Omnicom Group: 37,320 records
  • Bristol-Myers Squibb: 37,497 records
  • Charles Schwab: 49,356 records
  • Leidos: 52,610 records
  • Canada Post: 69,860 records
  • Cardinal Health: 407,437 records
  • U.S. Bank: 114,076 records
  • Fidelity Investments (FMR): 124,464 records
  • HSBC: 280,693 records
  • MetLife: 585,130 records
  • Vertafore: 30,070,951 records (Texas driver records) and 26,541,746 records (Texas lien records)
  • Los Angeles Police Department (LAPD): Roster of police officers, including headshots, and potentially compromising details for undercover officers from 2023.

Each dataset contains sensitive information such as employee names, email addresses, positions, and organizational structures, which heightens the risk for phishing and social engineering attacks against these organizations.

Latest

From the blog

The latest industry news, interviews, technologies, and resources.