Killings, Torturing, and Smuggling: How an Infostealer Exposed an ISIS Cell’s XMPP Network

A single InfoStealer infection on a Lebanon endpoint (likely belonging to an ISIS local commander) exposed years of locally-stored XMPP logs, identity documents, explosives synthesis manuals, and operational files. The recovered communications provide direct evidence of coordinated IED attacks with casualties, cross-border weapons and component smuggling to Syria/Iraq, money transfers, recruitment/bay'ah processing, and sharia-sanctioned violence, enabling reconstruction of the cell’s organizational structure and supply chains.