In underground marketplaces, an endpoint log refers to a bundle of stolen data—typically including usernames, passwords, session cookies, and sometimes browser history or autofill data—harvested from a victim’s device infected with stealer malware. These logs are packaged and sold for as little as $10, enabling threat actors to bypass authentication mechanisms, hijack sessions, or even launch secondary attacks like ransomware.

Bitsight monitors underground markets and Telegram channels where endpoint logs are traded. In 2024, Bitsight identified 7.7 million logs listed for sale, up from 6.8 million in 2023. Using Bitsight AI, the team classified logs by geography, volume, and associated stealer malware, removing duplicates and identifying dominant trends such as the replacement of Raccoon Stealer with newer malware like Lumma and Risepro.

Endpoint logs provide direct evidence of user-level compromise that may not trigger traditional alerts. For SOC teams, this data offers early warning signs of credential theft, particularly in scenarios where multi-factor authentication can be bypassed using cookies or tokens. For CISOs and GRC teams, log volume and geography help contextualize organizational or sectoral exposure, informing security controls and risk communications.

Understanding where endpoint logs originate and what credentials are at risk enables organizations to better prioritize identity management, credential hygiene, and session security. Bitsight integrates this intelligence into its Cyber Threat Intelligence and Exposure Management solutions, enabling teams to monitor underground chatter for mentions of their assets and take preemptive action if compromised credentials are circulating.