https://github.com/cystack/stealer-fingerprints
Public catalog of stealer log fingerprints. Banner strings, field signatures, sanitized samples, and YARA rules for 30+ malware families including RedLine, Vidar, Lumma, StealC, and Rhadamanthys. For incident response, detection engineering, and threat intelligence research.
https://github.com/cystack/stealer-fingerprints
cti cybersecurity incident-response info-steal infostealers ioc lumma-stealer malware-analysis malware-detection malware-samples mitre-attack redline rhadamanthys security-research stealer-log-parser threat-intelligence vidar-stealer yara yara-rules
Last synced: 11 days ago
JSON representation
Public catalog of stealer log fingerprints. Banner strings, field signatures, sanitized samples, and YARA rules for 30+ malware families including RedLine, Vidar, Lumma, StealC, and Rhadamanthys. For incident response, detection engineering, and threat intelligence research.
- Host: GitHub
- URL: https://github.com/cystack/stealer-fingerprints
- Owner: cystack
- License: apache-2.0
- Created: 2026-05-07T07:27:02.000Z (about 2 months ago)
- Default Branch: main
- Last Pushed: 2026-06-08T18:22:13.000Z (17 days ago)
- Last Synced: 2026-06-08T20:15:14.711Z (17 days ago)
- Topics: cti, cybersecurity, incident-response, info-steal, infostealers, ioc, lumma-stealer, malware-analysis, malware-detection, malware-samples, mitre-attack, redline, rhadamanthys, security-research, stealer-log-parser, threat-intelligence, vidar-stealer, yara, yara-rules
- Language: YARA
- Homepage: https://cystack.net/data-leak-detection
- Size: 8.12 MB
- Stars: 1
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-yara - CyStack Stealer Fingerprints
README
# Stealer Fingerprints
Public catalog of malware-family fingerprints curated by CyStack threat intelligence. Each entry documents a stealer log family with its banner strings, field signatures, sanitized sample, and ready-to-use YARA rules.
Each row in the table below summarises the operator-rebrand footprint observed for that family: how many distinct variants we have fingerprints for, how many distribution channels we have seen distributing it, and the highest attribution confidence observed (`high` = curated CTI confirmed, `medium` = community catalog hint, `low` = provisional best-guess, `unknown` = CyStack-discovered with no candidate, `benign` = false-positive labeling).
## Families
| Family | Variants | Channels | Top confidence |
|---|---|---|---|
| [`AMOS Stealer`](families/amos_stealer/) | 74 | 0 | `medium` |
| [`Acreed`](families/acreed/) | 1 | 0 | `high` |
| [`Aetheris Stealer`](families/aetheris_stealer/) | 14 | 0 | `high` |
| [`Ailurophile`](families/ailurophile/) | 1 | 1 | `high` |
| [`Antarctida Stealer`](families/antarctida_stealer/) | 1 | 0 | `high` |
| [`Arcane`](families/arcane/) | 47 | 1 | `high` |
| [`AuraStealer`](families/aura_stealer/) | 2 | 0 | `high` |
| [`Blank Grabber`](families/blank_grabber/) | 19 | 0 | `high` |
| [`BracketSection Stealer`](families/bracket_section_stealer/) | 3 | 0 | `unknown` |
| [`Bugatti Cloud`](families/bugatti_cloud/) | 6 | 0 | `unknown` |
| [`CSAdminCoresStealer`](families/cs_admin_cores_stealer/) | 1 | 0 | `unknown` |
| [`CSAntiSandboxStealer`](families/cs_anti_sandbox_stealer/) | 1 | 0 | `unknown` |
| [`CSAzureBuildStealer`](families/cs_azure_build_stealer/) | 1 | 0 | `unknown` |
| [`CSBareUsernameAVStealer`](families/cs_bare_username_av_stealer/) | 1 | 0 | `unknown` |
| [`CSBareVersionStealer`](families/cs_bare_version_stealer/) | 1 | 1 | `unknown` |
| [`CSBestPrivateLoggerStealer`](families/cs_best_private_logger_stealer/) | 1 | 0 | `unknown` |
| [`CSBinaryGarbageStealer`](families/cs_binary_garbage_stealer/) | 1 | 1 | `unknown` |
| [`CSBitArchStealer`](families/cs_bit_arch_stealer/) | 1 | 0 | `unknown` |
| [`CSBrowersStealer`](families/cs_browers_stealer/) | 4 | 0 | `unknown` |
| [`CSBuildBlockStealer`](families/cs_build_block_stealer/) | 1 | 1 | `unknown` |
| [`CSCountCoreStealer`](families/cs_count_core_stealer/) | 6 | 0 | `unknown` |
| [`CSCountRunsStealer`](families/cs_count_runs_stealer/) | 1 | 1 | `unknown` |
| [`CSCrownBuildStealer`](families/cs_crown_build_stealer/) | 1 | 0 | `unknown` |
| [`CSDaisyBonusProcSoftStealer`](families/cs_daisy_bonus_proc_soft_stealer/) | 1 | 1 | `unknown` |
| [`CSDaisyCloudStealer`](families/cs_daisy_cloud_stealer/) | 1 | 1 | `low` |
| [`CSDashPlusSepStealer`](families/cs_dash_plus_sep_stealer/) | 1 | 1 | `unknown` |
| [`CSDashSectionStealer`](families/cs_dash_section_stealer/) | 1 | 1 | `low` |
| [`CSDataCollectedStealer`](families/cs_data_collected_stealer/) | 1 | 0 | `unknown` |
| [`CSEmojiCountStealer`](families/cs_emoji_count_stealer/) | 4 | 0 | `unknown` |
| [`CSEmojiInfoStealer`](families/cs_emoji_info_stealer/) | 1 | 0 | `unknown` |
| [`CSEnvVarDumpStealer`](families/cs_env_var_dump_stealer/) | 1 | 1 | `unknown` |
| [`CSFacebookMarketStealer`](families/cs_facebook_market_stealer/) | 1 | 1 | `unknown` |
| [`CSFacebookProfileStealer`](families/cs_facebook_profile_stealer/) | 1 | 1 | `low` |
| [`CSGADSPanelStealer`](families/csgads_panel_stealer/) | 8 | 0 | `unknown` |
| [`CSGeoSysInfoStealer`](families/cs_geo_sys_info_stealer/) | 1 | 1 | `unknown` |
| [`CSGoRuntimeStealer`](families/cs_go_runtime_stealer/) | 1 | 1 | `unknown` |
| [`CSHardwareTailStealer`](families/cs_hardware_tail_stealer/) | 1 | 1 | `low` |
| [`CSInzExtStealer`](families/cs_inz_ext_stealer/) | 1 | 0 | `unknown` |
| [`CSLoaderReadyStealer`](families/cs_loader_ready_stealer/) | 1 | 1 | `unknown` |
| [`CSMSKDateStealer`](families/csmsk_date_stealer/) | 1 | 0 | `unknown` |
| [`CSMacBareGeoStealer`](families/cs_mac_bare_geo_stealer/) | 1 | 0 | `unknown` |
| [`CSMacKeychainPassStealer`](families/cs_mac_keychain_pass_stealer/) | 1 | 0 | `unknown` |
| [`CSMacUserinfoStealer`](families/cs_mac_userinfo_stealer/) | 3 | 0 | `unknown` |
| [`CSMainLootStealer`](families/cs_main_loot_stealer/) | 2 | 2 | `low` |
| [`CSMatchesFilterStealer`](families/cs_matches_filter_stealer/) | 1 | 0 | `unknown` |
| [`CSMrdUidStealer`](families/cs_mrd_uid_stealer/) | 3 | 0 | `unknown` |
| [`CSNewLogStealer`](families/cs_new_log_stealer/) | 1 | 0 | `unknown` |
| [`CSNovyiLogStealer`](families/cs_novyi_log_stealer/) | 1 | 1 | `unknown` |
| [`CSOneGoStealer`](families/cs_one_go_stealer/) | 1 | 0 | `unknown` |
| [`CSOttomanPanelStealer`](families/cs_ottoman_panel_stealer/) | 1 | 1 | `low` |
| [`CSPcNameSnakeStealer`](families/cs_pc_name_snake_stealer/) | 1 | 1 | `unknown` |
| [`CSPyHostTimeStealer`](families/cs_py_host_time_stealer/) | 1 | 1 | `unknown` |
| [`CSRussia34Stealer`](families/cs_russia34_stealer/) | 1 | 1 | `unknown` |
| [`CSSigInfoStealer`](families/cs_sig_info_stealer/) | 6 | 1 | `low` |
| [`CSSoftwareTailStealer`](families/cs_software_tail_stealer/) | 1 | 1 | `unknown` |
| [`CSStatsSectionStealer`](families/cs_stats_section_stealer/) | 1 | 0 | `unknown` |
| [`CSStealerCloudInfoStealer`](families/cs_stealer_cloud_info_stealer/) | 1 | 1 | `low` |
| [`CSStealerCloudUserInfoStealer`](families/cs_stealer_cloud_user_info_stealer/) | 1 | 1 | `low` |
| [`CSSystemSummaryStealer`](families/cs_system_summary_stealer/) | 1 | 0 | `unknown` |
| [`CSTxtFilesPartStealer`](families/cs_txt_files_part_stealer/) | 1 | 0 | `unknown` |
| [`CSUsersListStealer`](families/cs_users_list_stealer/) | 1 | 1 | `unknown` |
| [`CSWLFRCloudStealer`](families/cswlfr_cloud_stealer/) | 1 | 1 | `unknown` |
| [`CSWmicDumpStealer`](families/cs_wmic_dump_stealer/) | 1 | 0 | `unknown` |
| [`Category Stealer`](families/category_stealer/) | 5 | 0 | `unknown` |
| [`CryptBot`](families/crypt_bot/) | 2 | 1 | `high` |
| [`Cthulhu Stealer`](families/cthulhu_stealer/) | 26 | 0 | `high` |
| [`DCRat`](families/dc_rat/) | 3 | 0 | `high` |
| [`DiskInfo Stealer`](families/disk_info_stealer/) | 1 | 0 | `unknown` |
| [`Lumma`](families/lumma/) | 61 | 5 | `high` |
| [`MacSync`](families/mac_sync/) | 4 | 1 | `high` |
| [`MeltStealer`](families/melt_stealer/) | 1 | 0 | `high` |
| [`Millenium RAT`](families/millenium_rat/) | 1 | 0 | `-` |
| [`Minimal Stealer`](families/minimal_stealer/) | 1 | 0 | `unknown` |
| [`Nexus`](families/nexus/) | 1 | 0 | `medium` |
| [`NotMalware`](families/not_malware/) | 5 | 5 | `benign` |
| [`PCInfo Stealer`](families/pc_info_stealer/) | 2 | 0 | `unknown` |
| [`PXA Stealer`](families/pxa_stealer/) | 8 | 0 | `high` |
| [`Phantom Stealer`](families/phantom_stealer/) | 3 | 1 | `high` |
| [`Phexia`](families/phexia/) | 1 | 0 | `high` |
| [`PureLogs`](families/pure_logs/) | 1 | 0 | `high` |
| [`PyInfo Stealer`](families/py_info_stealer/) | 1 | 0 | `unknown` |
| [`RL Stealer`](families/rl_stealer/) | 2 | 1 | `medium` |
| [`RMS`](families/rms/) | 1 | 1 | `high` |
| [`Raccoon`](families/raccoon/) | 2 | 0 | `high` |
| [`Redline`](families/redline/) | 22 | 0 | `high` |
| [`RedlineLike Stealer`](families/redline_like_stealer/) | 72 | 0 | `unknown` |
| [`Remus Stealer`](families/remus_stealer/) | 2 | 1 | `high` |
| [`Rhadamanthys`](families/rhadamanthys/) | 1 | 0 | `high` |
| [`SHub Stealer`](families/s_hub_stealer/) | 1 | 0 | `high` |
| [`SantaStealer`](families/santa_stealer/) | 1 | 1 | `high` |
| [`Snake Stealer`](families/snake_stealer/) | 3 | 0 | `high` |
| [`StealC`](families/steal_c/) | 44 | 0 | `high` |
| [`Stealerium`](families/stealerium/) | 1 | 1 | `high` |
| [`Vidar`](families/vidar/) | 8722 | 0 | `high` |
| [`WhiteSnake`](families/white_snake/) | 5 | 0 | `high` |
| [`XFiles`](families/x_files/) | 12 | 0 | `high` |
## Contributing
Found a new variant or correction? Open a pull request adding the fingerprint banner, field keys, and any reference URLs. Sample logs must be sanitized of victim data before submission.