Stealer Fingerprints

June 9, 2026 ยท View on GitHub

Public catalog of malware-family fingerprints curated by CyStack threat intelligence. Each entry documents a stealer log family with its banner strings, field signatures, sanitized sample, and ready-to-use YARA rules.

Each row in the table below summarises the operator-rebrand footprint observed for that family: how many distinct variants we have fingerprints for, how many distribution channels we have seen distributing it, and the highest attribution confidence observed (high = curated CTI confirmed, medium = community catalog hint, low = provisional best-guess, unknown = CyStack-discovered with no candidate, benign = false-positive labeling).

Families

FamilyVariantsChannelsTop confidence
AMOS Stealer740medium
Acreed10high
Aetheris Stealer140high
Ailurophile11high
Antarctida Stealer10high
Arcane471high
AuraStealer20high
Blank Grabber190high
BracketSection Stealer30unknown
Bugatti Cloud60unknown
CSAdminCoresStealer10unknown
CSAntiSandboxStealer10unknown
CSAzureBuildStealer10unknown
CSBareUsernameAVStealer10unknown
CSBareVersionStealer11unknown
CSBestPrivateLoggerStealer10unknown
CSBinaryGarbageStealer11unknown
CSBitArchStealer10unknown
CSBrowersStealer40unknown
CSBuildBlockStealer11unknown
CSCountCoreStealer60unknown
CSCountRunsStealer11unknown
CSCrownBuildStealer10unknown
CSDaisyBonusProcSoftStealer11unknown
CSDaisyCloudStealer11low
CSDashPlusSepStealer11unknown
CSDashSectionStealer11low
CSDataCollectedStealer10unknown
CSEmojiCountStealer40unknown
CSEmojiInfoStealer10unknown
CSEnvVarDumpStealer11unknown
CSFacebookMarketStealer11unknown
CSFacebookProfileStealer11low
CSGADSPanelStealer80unknown
CSGeoSysInfoStealer11unknown
CSGoRuntimeStealer11unknown
CSHardwareTailStealer11low
CSInzExtStealer10unknown
CSLoaderReadyStealer11unknown
CSMSKDateStealer10unknown
CSMacBareGeoStealer10unknown
CSMacKeychainPassStealer10unknown
CSMacUserinfoStealer30unknown
CSMainLootStealer22low
CSMatchesFilterStealer10unknown
CSMrdUidStealer30unknown
CSNewLogStealer10unknown
CSNovyiLogStealer11unknown
CSOneGoStealer10unknown
CSOttomanPanelStealer11low
CSPcNameSnakeStealer11unknown
CSPyHostTimeStealer11unknown
CSRussia34Stealer11unknown
CSSigInfoStealer61low
CSSoftwareTailStealer11unknown
CSStatsSectionStealer10unknown
CSStealerCloudInfoStealer11low
CSStealerCloudUserInfoStealer11low
CSSystemSummaryStealer10unknown
CSTxtFilesPartStealer10unknown
CSUsersListStealer11unknown
CSWLFRCloudStealer11unknown
CSWmicDumpStealer10unknown
Category Stealer50unknown
CryptBot21high
Cthulhu Stealer260high
DCRat30high
DiskInfo Stealer10unknown
Lumma615high
MacSync41high
MeltStealer10high
Millenium RAT10-
Minimal Stealer10unknown
Nexus10medium
NotMalware55benign
PCInfo Stealer20unknown
PXA Stealer80high
Phantom Stealer31high
Phexia10high
PureLogs10high
PyInfo Stealer10unknown
RL Stealer21medium
RMS11high
Raccoon20high
Redline220high
RedlineLike Stealer720unknown
Remus Stealer21high
Rhadamanthys10high
SHub Stealer10high
SantaStealer11high
Snake Stealer30high
StealC440high
Stealerium11high
Vidar87220high
WhiteSnake50high
XFiles120high

Contributing

Found a new variant or correction? Open a pull request adding the fingerprint banner, field keys, and any reference URLs. Sample logs must be sanitized of victim data before submission.