Stealer Fingerprints

Public catalog of malware-family fingerprints curated by CyStack threat intelligence. Each entry documents a stealer log family with its banner strings, field signatures, sanitized sample, and ready-to-use YARA rules.

Each row in the table below summarises the operator-rebrand footprint observed for that family: how many distinct variants we have fingerprints for, how many distribution channels we have seen distributing it, and the highest attribution confidence observed (high = curated CTI confirmed, medium = community catalog hint, low = provisional best-guess, unknown = CyStack-discovered with no candidate, benign = false-positive labeling).

Families

Family	Variants	Channels	Top confidence
AMOS Stealer	74	0	medium
Acreed	1	0	high
Aetheris Stealer	14	0	high
Ailurophile	1	1	high
Antarctida Stealer	1	0	high
Arcane	47	1	high
AuraStealer	2	0	high
Blank Grabber	19	0	high
BracketSection Stealer	3	0	unknown
Bugatti Cloud	6	0	unknown
CSAdminCoresStealer	1	0	unknown
CSAntiSandboxStealer	1	0	unknown
CSAzureBuildStealer	1	0	unknown
CSBareUsernameAVStealer	1	0	unknown
CSBareVersionStealer	1	1	unknown
CSBestPrivateLoggerStealer	1	0	unknown
CSBinaryGarbageStealer	1	1	unknown
CSBitArchStealer	1	0	unknown
CSBrowersStealer	4	0	unknown
CSBuildBlockStealer	1	1	unknown
CSCountCoreStealer	6	0	unknown
CSCountRunsStealer	1	1	unknown
CSCrownBuildStealer	1	0	unknown
CSDaisyBonusProcSoftStealer	1	1	unknown
CSDaisyCloudStealer	1	1	low
CSDashPlusSepStealer	1	1	unknown
CSDashSectionStealer	1	1	low
CSDataCollectedStealer	1	0	unknown
CSEmojiCountStealer	4	0	unknown
CSEmojiInfoStealer	1	0	unknown
CSEnvVarDumpStealer	1	1	unknown
CSFacebookMarketStealer	1	1	unknown
CSFacebookProfileStealer	1	1	low
CSGADSPanelStealer	8	0	unknown
CSGeoSysInfoStealer	1	1	unknown
CSGoRuntimeStealer	1	1	unknown
CSHardwareTailStealer	1	1	low
CSInzExtStealer	1	0	unknown
CSLoaderReadyStealer	1	1	unknown
CSMSKDateStealer	1	0	unknown
CSMacBareGeoStealer	1	0	unknown
CSMacKeychainPassStealer	1	0	unknown
CSMacUserinfoStealer	3	0	unknown
CSMainLootStealer	2	2	low
CSMatchesFilterStealer	1	0	unknown
CSMrdUidStealer	3	0	unknown
CSNewLogStealer	1	0	unknown
CSNovyiLogStealer	1	1	unknown
CSOneGoStealer	1	0	unknown
CSOttomanPanelStealer	1	1	low
CSPcNameSnakeStealer	1	1	unknown
CSPyHostTimeStealer	1	1	unknown
CSRussia34Stealer	1	1	unknown
CSSigInfoStealer	6	1	low
CSSoftwareTailStealer	1	1	unknown
CSStatsSectionStealer	1	0	unknown
CSStealerCloudInfoStealer	1	1	low
CSStealerCloudUserInfoStealer	1	1	low
CSSystemSummaryStealer	1	0	unknown
CSTxtFilesPartStealer	1	0	unknown
CSUsersListStealer	1	1	unknown
CSWLFRCloudStealer	1	1	unknown
CSWmicDumpStealer	1	0	unknown
Category Stealer	5	0	unknown
CryptBot	2	1	high
Cthulhu Stealer	26	0	high
DCRat	3	0	high
DiskInfo Stealer	1	0	unknown
Lumma	61	5	high
MacSync	4	1	high
MeltStealer	1	0	high
Millenium RAT	1	0	-
Minimal Stealer	1	0	unknown
Nexus	1	0	medium
NotMalware	5	5	benign
PCInfo Stealer	2	0	unknown
PXA Stealer	8	0	high
Phantom Stealer	3	1	high
Phexia	1	0	high
PureLogs	1	0	high
PyInfo Stealer	1	0	unknown
RL Stealer	2	1	medium
RMS	1	1	high
Raccoon	2	0	high
Redline	22	0	high
RedlineLike Stealer	72	0	unknown
Remus Stealer	2	1	high
Rhadamanthys	1	0	high
SHub Stealer	1	0	high
SantaStealer	1	1	high
Snake Stealer	3	0	high
StealC	44	0	high
Stealerium	1	1	high
Vidar	8722	0	high
WhiteSnake	5	0	high
XFiles	12	0	high

Contributing

Found a new variant or correction? Open a pull request adding the fingerprint banner, field keys, and any reference URLs. Sample logs must be sanitized of victim data before submission.