Hunter has added additional capabilities across three areas: live Telegram channel monitoring integrated directly into the investigation workflow, richer infostealer package analysis including browser history and session cookies, and a new threat actor identification engine that surfaces criminal profiles from fresh infostealer data.
Investigations move at the speed of the adversary. The channels, tools, and tactics that threat actors use to communicate, share stolen data, and coordinate attacks have shifted significantly toward Telegram, and the infostealer packages circulating in those channels now contain far more actionable intelligence than raw credential lists. Constella Hunter has been updated to reflect that reality.
These updates are live in production. Here is what is new, what it enables, and how to use it in investigations.
1. Live Telegram Intelligence, Integrated into Hunter Search
Telegram has become the central infrastructure of the criminal economy. Threat actors use it to share compromised credentials, trade stolen credit card data, coordinate attacks, post CVE exploit announcements, publish ransomware victim disclosures, and organize communities around every type of criminal activity. The volume and velocity of intelligence available in Telegram channels has made it an essential source for any serious investigation or threat monitoring program.
Constella now monitors tens of thousands of channels in real time, covering both public and private channels. The monitoring infrastructure is fully automated, continuously ingesting messages, files, and attachments as they are published, all searchable directly inside Hunter.
What This Means for Investigations
- Search across Telegram in any language or script. Hunter’s Telegram integration supports searches in Cyrillic, Arabic, Chinese, Japanese, and any other alphabet or script without distinction. An investigator searching for a term in Arabic or a username in Cyrillic will retrieve matching Telegram posts directly.
- View post details including author, timestamp, and raw content. Clicking into a result surfaces full post detail: who published it, when, the channel URL, and the original message content pulled directly from Telegram. For posts published within the last few minutes, that data is available in Hunter immediately.
- Autonomous channel discovery. Hunter applies an AI-agentic Telegram technology capable of autonomously exploring and navigating the Telegram ecosystem. New channels relevant to infostealer data, ransomware activity, PII sharing, and threat actor coordination are discovered and added to monitoring continuously.
Use Cases This Unlocks
- Real-time ransomware group monitoring: every major ransomware group maintains a Telegram channel. Hunter can now surface victim disclosures and attack announcements as they are posted.
- CVE and vulnerability tracking: bots on Telegram post newly disclosed vulnerabilities affecting specific software. Security teams can now search Hunter for software they operate and detect active exploit discussion in real time.
- Geopolitical and physical threat monitoring: channels focused on specific regions post alerts about drone activity, physical incidents, and conflict developments. Hunter can now surface this intelligence for organizations monitoring physical risk in specific geographies.
- Criminal forum intelligence: channels that operate as aggregators of breach data, market activity, and underground forum content are now searchable through a single interface.
- Attack preparation detection: channels where threat actors discuss targeting, tooling, and preparation are monitored and searchable.
2. Deeper Infostealer Package Analysis
Hunter has always surfaced credentials from infostealer infections. The platform now goes significantly further, exposing the full richness of what infostealer packages contain and enabling more comprehensive analysis of each infection.
Infostealer Package Overview Dashboard
When an infostealer package is retrieved, Hunter now surfaces a structured overview of the compromised device rather than just a credential list. This includes:
- File and folder counts from the infected device
- Credential summary with total count and password pattern visualization for identifying reuse
- Cookie inventory with classification by type (analytics, authentication, security)
- Credit card data extracted in plaintext including card number, cardholder name, expiration date, and CVV where present
- Cryptocurrency wallet files identified within the package
- Software configuration files from installed applications
The overview enables immediate triage: an analyst can assess the scope of a compromise at a glance before drilling into specific data types.
Password Pattern Analysis
The credential view now surfaces password reuse patterns across the infected device. Because infostealers harvest all credentials stored in the browser regardless of which service they belong to, a single package often contains corporate and personal credentials for the same individual. The pattern view makes reuse immediately visible, including common variations such as base passwords with sequential numbers, seasonal patterns, or capitalization changes that predictable rotation policies produce.
This matters for investigations: a threat actor who knows that an organization enforces monthly password changes can predict likely current passwords from a historical infostealer package. This exact technique was used in at least one documented killware attack.
Browser History Analysis
Hunter now indexes and displays the browser history from compromised devices where the infostealer family includes it. Browser history reveals:
- Hidden infrastructure. Developers and administrators often access internal systems through IP addresses or ports not publicly associated with their employer. Browser history exposes those connections, giving threat actors a map of internal infrastructure that is invisible in any other data source.
- Account presence on illicit platforms. Even when a credential for a criminal forum or dark market is not saved in the browser, a cookie or browser history entry confirms that the device reached that site. This is critical for law enforcement investigations where proving presence on a platform is an evidentiary requirement.
- Cloud storage links. Employees frequently upload documents to personal Google Drive or Mega accounts. Browser history can expose those links, which may be accessible without authentication, revealing confidential organizational data stored outside any corporate control.
- Chronological action chains. Browser history is typically timestamped and ordered, enabling investigators to reconstruct a sequence of actions taken by the device user before, during, and after an infection.
Cookie Intelligence
The cookie data within infostealer packages is now more richly analyzed and explained. Key points for investigation use:
- Active authentication cookies can be replayed to access accounts without triggering a login event or MFA challenge. For law enforcement, this enables operational access to monitored accounts. For enterprise security teams, it means session invalidation is as important as password rotation when an employee is affected by an infostealer infection.
- Cookie type classification now distinguishes authentication and security cookies from analytics and advertising cookies, enabling investigators to quickly identify which cookies carry access risk.
- Services like Azure and Steam implement additional controls beyond standard session cookies. Hunter’s analysis now flags these so investigators understand when cookie replay alone may be insufficient for operational purposes.
System Information File Enrichment
Infostealer packages typically include a system information file describing the infected device: operating system version, hardware identifiers, machine name, IP address, and infection date. The accuracy and format of this file varies by malware family.
Hunter is now reprocessing historical data to improve infection date accuracy. Previously, some records used the file creation date from the threat actor’s packaging rather than the actual infection event. The system now identifies and uses the actual infection timestamp from the system information file where available, providing more accurate intelligence about when a device was compromised.
Additionally, Hunter is actively building out family detection: using the format, field names, and structure of system information files to identify which infostealer family produced the package. Current coverage includes Lumma, RedLine, Raccoon, Vidar, and other common families.
3. Threat Actor Identification and Profiling
Constella has developed an advanced system capable of identifying potential threat actors in real-time. By analyzing digital activity, the platform autonomously profiles individuals based on evidence gathered from their own actions, providing a sophisticated new capability for proactive security monitoring.
How It Works
Constella has developed a sophisticated AI model capable of identifying potential threat actors with high precision. In just the last couple of months, this system has successfully detected more than 6,000 individuals engaged in malicious activity, providing a powerful new layer of proactive intelligence.
Threat Actor Profiles
Each identified threat actor receives a profile that includes:
- Country of origin. Determined by analyzing threat actor behaviors and the full scope of their activity rather than relying on IP geolocation, which is easily circumvented by VPN use.
- TTPs (Tactics, Techniques, and Procedures). A structured view of how the threat actor operates, including criminal activity classification and the types of platforms, tools, and markets they engage with.
- Malicious site activity. A ranked list of the criminal sites, forums, and markets the individual accessed, enabling investigators to understand their operational focus and connections.
- Tool and technology profile. Which AI tools, cracking utilities, and security tools appear in their environment, providing additional TTP signal for attribution and classification.
- Associated infrastructure. IP addresses linked to the threat actor that may represent command and control infrastructure, criminal hosting, or locations not yet reported as malicious by the broader intelligence community.
Threat Actor Map
Hunter now includes a geographic visualization of identified threat actors, plotted by inferred country of origin. Investigators can select a country, view the threat actors identified there, drill into individual profiles, and export or pivot to further investigation from any data point.
Threat Actor Intelligence Search
A dedicated search interface allows investigators to query across the indexed data from identified threat actors: searching credentials, financial data, and system information from this subset. This enables targeted queries such as finding all threat actors who used a specific file-sharing service, visited a specific forum, or possess credentials for a specific platform.
Why This Matters
Major threat intelligence companies, including some of the largest in the industry, maintain catalogs of a few hundred to under a thousand named threat actor profiles, focused primarily on APT groups and nation-state actors. Hunter has identified close to more than 6000 potential threat actors. These are the lower-tier criminals who supply data, tools, and access to more sophisticated actors, and who until now have been largely invisible to the threat intelligence industry.
The IP addresses and infrastructure associated with these individuals often go unreported in existing threat intelligence feeds. Constella has verified in multiple cases that malicious IP addresses surfaced through this capability were not flagged as malicious in the community.
See These Features in Action
Hunter’s Telegram intelligence, infostealer analysis, and threat actor identification capabilities are live in production. To see a demo tailored to your investigation use case, contact us at constella.ai/request-a-demo/