{"id":50314350,"url":"https://github.com/cystack/stealer-fingerprints","last_synced_at":"2026-06-14T14:01:15.669Z","repository":{"id":356290571,"uuid":"1231682626","full_name":"cystack/stealer-fingerprints","owner":"cystack","description":"Public catalog of stealer log fingerprints. Banner strings, field signatures, sanitized samples, and YARA rules for 30+ malware families including RedLine, Vidar, Lumma, StealC, and Rhadamanthys. For incident response, detection engineering, and threat intelligence research.","archived":false,"fork":false,"pushed_at":"2026-06-08T18:22:13.000Z","size":8511,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-08T20:15:14.711Z","etag":null,"topics":["cti","cybersecurity","incident-response","info-steal","infostealers","ioc","lumma-stealer","malware-analysis","malware-detection","malware-samples","mitre-attack","redline","rhadamanthys","security-research","stealer-log-parser","threat-intelligence","vidar-stealer","yara","yara-rules"],"latest_commit_sha":null,"homepage":"https://cystack.net/data-leak-detection","language":"YARA","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cystack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-07T07:27:02.000Z","updated_at":"2026-06-08T18:22:19.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/cystack/stealer-fingerprints","commit_stats":null,"previous_names":["cystack/stealer-fingerprints"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/cystack/stealer-fingerprints","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cystack%2Fstealer-fingerprints","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cystack%2Fstealer-fingerprints/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cystack%2Fstealer-fingerprints/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cystack%2Fstealer-fingerprints/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cystack","download_url":"https://codeload.github.com/cystack/stealer-fingerprints/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cystack%2Fstealer-fingerprints/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34323994,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-14T02:00:07.365Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cti","cybersecurity","incident-response","info-steal","infostealers","ioc","lumma-stealer","malware-analysis","malware-detection","malware-samples","mitre-attack","redline","rhadamanthys","security-research","stealer-log-parser","threat-intelligence","vidar-stealer","yara","yara-rules"],"created_at":"2026-05-28T23:00:27.757Z","updated_at":"2026-06-14T14:01:15.656Z","avatar_url":"https://github.com/cystack.png","language":"YARA","funding_links":[],"categories":["Rules"],"sub_categories":[],"readme":"# Stealer Fingerprints\n\nPublic catalog of malware-family fingerprints curated by CyStack threat intelligence. Each entry documents a stealer log family with its banner strings, field signatures, sanitized sample, and ready-to-use YARA rules.\n\nEach row in the table below summarises the operator-rebrand footprint observed for that family: how many distinct variants we have fingerprints for, how many distribution channels we have seen distributing it, and the highest attribution confidence observed (`high` = curated CTI confirmed, `medium` = community catalog hint, `low` = provisional best-guess, `unknown` = CyStack-discovered with no candidate, `benign` = false-positive labeling).\n\n## Families\n\n| Family | Variants | Channels | Top confidence |\n|---|---|---|---|\n| [`AMOS Stealer`](families/amos_stealer/) | 74 | 0 | `medium` |\n| [`Acreed`](families/acreed/) | 1 | 0 | `high` |\n| [`Aetheris Stealer`](families/aetheris_stealer/) | 14 | 0 | `high` |\n| [`Ailurophile`](families/ailurophile/) | 1 | 1 | `high` |\n| [`Antarctida Stealer`](families/antarctida_stealer/) | 1 | 0 | `high` |\n| [`Arcane`](families/arcane/) | 47 | 1 | `high` |\n| [`AuraStealer`](families/aura_stealer/) | 2 | 0 | `high` |\n| [`Blank Grabber`](families/blank_grabber/) | 19 | 0 | `high` |\n| [`BracketSection Stealer`](families/bracket_section_stealer/) | 3 | 0 | `unknown` |\n| [`Bugatti Cloud`](families/bugatti_cloud/) | 6 | 0 | `unknown` |\n| [`CSAdminCoresStealer`](families/cs_admin_cores_stealer/) | 1 | 0 | `unknown` |\n| [`CSAntiSandboxStealer`](families/cs_anti_sandbox_stealer/) | 1 | 0 | `unknown` |\n| [`CSAzureBuildStealer`](families/cs_azure_build_stealer/) | 1 | 0 | `unknown` |\n| [`CSBareUsernameAVStealer`](families/cs_bare_username_av_stealer/) | 1 | 0 | `unknown` |\n| [`CSBareVersionStealer`](families/cs_bare_version_stealer/) | 1 | 1 | `unknown` |\n| [`CSBestPrivateLoggerStealer`](families/cs_best_private_logger_stealer/) | 1 | 0 | `unknown` |\n| [`CSBinaryGarbageStealer`](families/cs_binary_garbage_stealer/) | 1 | 1 | `unknown` |\n| [`CSBitArchStealer`](families/cs_bit_arch_stealer/) | 1 | 0 | `unknown` |\n| [`CSBrowersStealer`](families/cs_browers_stealer/) | 4 | 0 | `unknown` |\n| [`CSBuildBlockStealer`](families/cs_build_block_stealer/) | 1 | 1 | `unknown` |\n| [`CSCountCoreStealer`](families/cs_count_core_stealer/) | 6 | 0 | `unknown` |\n| [`CSCountRunsStealer`](families/cs_count_runs_stealer/) | 1 | 1 | `unknown` |\n| [`CSCrownBuildStealer`](families/cs_crown_build_stealer/) | 1 | 0 | `unknown` |\n| [`CSDaisyBonusProcSoftStealer`](families/cs_daisy_bonus_proc_soft_stealer/) | 1 | 1 | `unknown` |\n| [`CSDaisyCloudStealer`](families/cs_daisy_cloud_stealer/) | 1 | 1 | `low` |\n| [`CSDashPlusSepStealer`](families/cs_dash_plus_sep_stealer/) | 1 | 1 | `unknown` |\n| [`CSDashSectionStealer`](families/cs_dash_section_stealer/) | 1 | 1 | `low` |\n| [`CSDataCollectedStealer`](families/cs_data_collected_stealer/) | 1 | 0 | `unknown` |\n| [`CSEmojiCountStealer`](families/cs_emoji_count_stealer/) | 4 | 0 | `unknown` |\n| [`CSEmojiInfoStealer`](families/cs_emoji_info_stealer/) | 1 | 0 | `unknown` |\n| [`CSEnvVarDumpStealer`](families/cs_env_var_dump_stealer/) | 1 | 1 | `unknown` |\n| [`CSFacebookMarketStealer`](families/cs_facebook_market_stealer/) | 1 | 1 | `unknown` |\n| [`CSFacebookProfileStealer`](families/cs_facebook_profile_stealer/) | 1 | 1 | `low` |\n| [`CSGADSPanelStealer`](families/csgads_panel_stealer/) | 8 | 0 | `unknown` |\n| [`CSGeoSysInfoStealer`](families/cs_geo_sys_info_stealer/) | 1 | 1 | `unknown` |\n| [`CSGoRuntimeStealer`](families/cs_go_runtime_stealer/) | 1 | 1 | `unknown` |\n| [`CSHardwareTailStealer`](families/cs_hardware_tail_stealer/) | 1 | 1 | `low` |\n| [`CSInzExtStealer`](families/cs_inz_ext_stealer/) | 1 | 0 | `unknown` |\n| [`CSLoaderReadyStealer`](families/cs_loader_ready_stealer/) | 1 | 1 | `unknown` |\n| [`CSMSKDateStealer`](families/csmsk_date_stealer/) | 1 | 0 | `unknown` |\n| [`CSMacBareGeoStealer`](families/cs_mac_bare_geo_stealer/) | 1 | 0 | `unknown` |\n| [`CSMacKeychainPassStealer`](families/cs_mac_keychain_pass_stealer/) | 1 | 0 | `unknown` |\n| [`CSMacUserinfoStealer`](families/cs_mac_userinfo_stealer/) | 3 | 0 | `unknown` |\n| [`CSMainLootStealer`](families/cs_main_loot_stealer/) | 2 | 2 | `low` |\n| [`CSMatchesFilterStealer`](families/cs_matches_filter_stealer/) | 1 | 0 | `unknown` |\n| [`CSMrdUidStealer`](families/cs_mrd_uid_stealer/) | 3 | 0 | `unknown` |\n| [`CSNewLogStealer`](families/cs_new_log_stealer/) | 1 | 0 | `unknown` |\n| [`CSNovyiLogStealer`](families/cs_novyi_log_stealer/) | 1 | 1 | `unknown` |\n| [`CSOneGoStealer`](families/cs_one_go_stealer/) | 1 | 0 | `unknown` |\n| [`CSOttomanPanelStealer`](families/cs_ottoman_panel_stealer/) | 1 | 1 | `low` |\n| [`CSPcNameSnakeStealer`](families/cs_pc_name_snake_stealer/) | 1 | 1 | `unknown` |\n| [`CSPyHostTimeStealer`](families/cs_py_host_time_stealer/) | 1 | 1 | `unknown` |\n| [`CSRussia34Stealer`](families/cs_russia34_stealer/) | 1 | 1 | `unknown` |\n| [`CSSigInfoStealer`](families/cs_sig_info_stealer/) | 6 | 1 | `low` |\n| [`CSSoftwareTailStealer`](families/cs_software_tail_stealer/) | 1 | 1 | `unknown` |\n| [`CSStatsSectionStealer`](families/cs_stats_section_stealer/) | 1 | 0 | `unknown` |\n| [`CSStealerCloudInfoStealer`](families/cs_stealer_cloud_info_stealer/) | 1 | 1 | `low` |\n| [`CSStealerCloudUserInfoStealer`](families/cs_stealer_cloud_user_info_stealer/) | 1 | 1 | `low` |\n| [`CSSystemSummaryStealer`](families/cs_system_summary_stealer/) | 1 | 0 | `unknown` |\n| [`CSTxtFilesPartStealer`](families/cs_txt_files_part_stealer/) | 1 | 0 | `unknown` |\n| [`CSUsersListStealer`](families/cs_users_list_stealer/) | 1 | 1 | `unknown` |\n| [`CSWLFRCloudStealer`](families/cswlfr_cloud_stealer/) | 1 | 1 | `unknown` |\n| [`CSWmicDumpStealer`](families/cs_wmic_dump_stealer/) | 1 | 0 | `unknown` |\n| [`Category Stealer`](families/category_stealer/) | 5 | 0 | `unknown` |\n| [`CryptBot`](families/crypt_bot/) | 2 | 1 | `high` |\n| [`Cthulhu Stealer`](families/cthulhu_stealer/) | 26 | 0 | `high` |\n| [`DCRat`](families/dc_rat/) | 3 | 0 | `high` |\n| [`DiskInfo Stealer`](families/disk_info_stealer/) | 1 | 0 | `unknown` |\n| [`Lumma`](families/lumma/) | 61 | 5 | `high` |\n| [`MacSync`](families/mac_sync/) | 4 | 1 | `high` |\n| [`MeltStealer`](families/melt_stealer/) | 1 | 0 | `high` |\n| [`Millenium RAT`](families/millenium_rat/) | 1 | 0 | `-` |\n| [`Minimal Stealer`](families/minimal_stealer/) | 1 | 0 | `unknown` |\n| [`Nexus`](families/nexus/) | 1 | 0 | `medium` |\n| [`NotMalware`](families/not_malware/) | 5 | 5 | `benign` |\n| [`PCInfo Stealer`](families/pc_info_stealer/) | 2 | 0 | `unknown` |\n| [`PXA Stealer`](families/pxa_stealer/) | 8 | 0 | `high` |\n| [`Phantom Stealer`](families/phantom_stealer/) | 3 | 1 | `high` |\n| [`Phexia`](families/phexia/) | 1 | 0 | `high` |\n| [`PureLogs`](families/pure_logs/) | 1 | 0 | `high` |\n| [`PyInfo Stealer`](families/py_info_stealer/) | 1 | 0 | `unknown` |\n| [`RL Stealer`](families/rl_stealer/) | 2 | 1 | `medium` |\n| [`RMS`](families/rms/) | 1 | 1 | `high` |\n| [`Raccoon`](families/raccoon/) | 2 | 0 | `high` |\n| [`Redline`](families/redline/) | 22 | 0 | `high` |\n| [`RedlineLike Stealer`](families/redline_like_stealer/) | 72 | 0 | `unknown` |\n| [`Remus Stealer`](families/remus_stealer/) | 2 | 1 | `high` |\n| [`Rhadamanthys`](families/rhadamanthys/) | 1 | 0 | `high` |\n| [`SHub Stealer`](families/s_hub_stealer/) | 1 | 0 | `high` |\n| [`SantaStealer`](families/santa_stealer/) | 1 | 1 | `high` |\n| [`Snake Stealer`](families/snake_stealer/) | 3 | 0 | `high` |\n| [`StealC`](families/steal_c/) | 44 | 0 | `high` |\n| [`Stealerium`](families/stealerium/) | 1 | 1 | `high` |\n| [`Vidar`](families/vidar/) | 8722 | 0 | `high` |\n| [`WhiteSnake`](families/white_snake/) | 5 | 0 | `high` |\n| [`XFiles`](families/x_files/) | 12 | 0 | `high` |\n\n## Contributing\n\nFound a new variant or correction? Open a pull request adding the fingerprint banner, field keys, and any reference URLs. Sample logs must be sanitized of victim data before submission.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcystack%2Fstealer-fingerprints","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcystack%2Fstealer-fingerprints","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcystack%2Fstealer-fingerprints/lists"}