AI Infection Analysis (NEW)
π§ͺ Infection Analysis API Guide
Endpoint:
/search-by-stealer/infection-analysis
Required Permissions: infection-analysis
Endpoint: POST search-by-stealer/infection-analysis
API Reference: View on Docs
The search-by-stealer/infection-analysis endpoint provides a detailed, AI-generated forensic analysis of how a specific identity was compromised. This is particularly useful for incident responders, threat hunters, and analysts who need to trace infection chains and identify malicious entry points.
Works only when the identity has a rich browsing/download history from the infostealer log - especially among
Lummainfostealers
π Purpose
This endpoint analyzes browsing behavior and download history (from infostealer logs) to determine:
- The most likely URL responsible for the compromise
- A confidence score for that determination
- A timeline of suspicious activity
- A natural-language summary of the infection path
π§Ύ Request Format
curl --location 'https://api.hudsonrock.com/json/v3/search-by-stealer/infection-analysis' \
--header 'accept: application/json' \
--header 'api-key: <API_KEY>' \
--header 'content-type: application/json' \
--data '{"stealer": "[IN]175.101.37.65"}'π¦ Example Response
{
"data": {
"likely_infection_url": "https://www.mediafire.com/file_premium/psx65h6kf34z9lr/Adobe.Premiere.Pro.2025.v28.3.1.rar/file",
"infection_confidence": 0.95,
"infection_reasoning": "The download of a cracked version of Adobe Premiere Pro from MediaFire, a file hosting service, is likely the source of the infostealer infection. The context of attempting to download and crack Adobe software is a common vector for malware infection.",
"infection_flow": [
{
"timestamp": "2025-05-06T10:17:30.000Z",
"url": "https://www.youtube.com/watch?v=H7MolYXxKog",
"notes": "Watched a video on how to activate Adobe Premiere Pro for free."
},
{
"timestamp": "2025-05-06T10:15:09.000Z",
"url": "https://www.mediafire.com/file_premium/psx65h6kf34z9lr/Adobe.Premiere.Pro.2025.v28.3.1.rar/file",
"notes": "Downloaded a file named 'Adobe.Premiere.Pro.2025.v28.3.1.rar' which is likely malicious."
},
{
"timestamp": "2025-05-06T10:15:00.000Z",
"url": "https://www.mediafire.com/folder/nupzd33tzw4ht/M4",
"notes": "Redirect from a YouTube video to a MediaFire folder."
},
{
"timestamp": "2025-05-06T10:13:36.000Z",
"url": "https://www.youtube.com/watch?v=oFLk7c-O8fU",
"notes": "Watched a YouTube video about downloading Adobe Premiere Pro for free."
}
],
"analyst_summary": "The user downloaded a potentially malicious RAR file from MediaFire after following instructions from YouTube videos promoting free cracked software."
}
}π Field Descriptions
| Field | Type | Description |
|---|---|---|
likely_infection_url | string (URL) | The most probable source of infection. |
infection_confidence | float (0β1) | Confidence level in the AIβs determination of the infection source. |
infection_reasoning | string | Rationale behind the confidence and infection vector. |
infection_flow | array<object> | Timeline of URLs visited around the infection window. |
analyst_summary | string | A human-readable explanation of the infection incident. |
π Use Cases
- SOC teams: Automate enrichment of compromised identity reports.
- IR analysts: Quickly assess how the compromise occurred to take preventive measures.
- Malware researchers: Understand stealer delivery mechanisms and top infection vectors.
- Threat intelligence feeds: Tag domains or URLs with higher confidence based on AI analysis.
π οΈ Notes
- Requires
infection-analysispermission. - Works best when the identity has a rich browsing/download history from the infostealer log - especially Lumma infostealers.
- Confidence scores below 0.5 should be treated with caution.
Updated 9 days ago