Skip to content

Latest commit

 

History

History

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 

README.md

CSFacebookMarketStealer

CSFacebookMarketStealer is a CyStack-coined identifier for a Facebook-account-resale marketplace listing emitted as Information.txt inside !! 2025 NOV.part001.rar @BRADLOGS / BRADMAX aggregator packs. Per-victim folders follow the [<TAG>]@BRADLOGS (BRADMAX) (<NN>)/ layout. The body is a four-line record: a 15-digit Facebook user ID plus display name plus date of birth header, a crown emoji pricing tier line, a related-pages line, and a raw Facebook session cookie string carrying c_user, xs, datr, sb, fr, ps_l, ps_n, wd.

The pricing-tier line uses U+1F451 👑 followed by a U+2219 BULLET OPERATOR separator chain that carries asking price (with U+1F4B6 💶 euro-banknote suffix), age and ratio stats, trading currency, ISO 3166 country code, a TS[<n>-<m>] trust-score bracket, and a U+2119 category flag. The body is most likely a panel-side post- processing artifact where a raw stealer cookie dump has been converted into a resale listing for an underground Facebook account marketplace. Family attribution is provisional pending a published threat-intel mapping for this layout. The closest documented relatives are NodeStealer (Unit 42), SYS01 (Morphisec), and the Trend Micro Facebook-Profile-Stealer write-ups: each collects the c_user and xs cookie pair from Facebook accounts, but none publishes a sample log showing this exact emoji-tagged marketplace listing shape.

Also known as: BRADMAX Facebook account marketplace listing, Crown-emoji Facebook resale Information.txt

Variants observed: 1 Top attribution confidence: unknown Operator panel brands: BRADMAX Distribution channels: @BRADLOGS

Targets

  • Facebook user ID
  • Facebook session cookies (c_user, xs, datr, sb, fr)
  • Facebook account creation year and trust-score metadata
  • Account display name and date of birth
  • Related Facebook page IDs

Variants

BRADMAX

Fingerprint id: bradmax

Distribution channel: @BRADLOGS

Attribution confidence: unknown

Filenames: Information.txt

Sample (sanitized):

100000133698988|Asd1/1/1982|♻️|0
👑∙350💶∙5∙10.12∙0∙USD∙PE∙TS[0-0]∙ℙ|224340604|2011|2
🅿️∙112720720419076➖191087508817915|20167-21060|💲
wd=640x840; datr=SNyXZkhOxFXPhs9V3spnX2-o; sb=SZpYZxAjIRdQt1ElrmuaxgBo; c_user=100000133698988; ps_l=1; ps_n=1; fr=1fdSpk1mIPg1k8aTm.AWdBYtJ7mjmgcE7P0uvd2U4zC6AE2jhgghlg02vUzJi2u1c0Li4.BpI5o2..AAA.0.0.BpI5o2.AWeXMhMrhW2CqtHnWTAn5wQy4Pc; xs=38%3A7n_ifOZA1B6SOw%3A2%3A1763940911%3A-1%3A-1%3A%3AAcwrmDcGA3brZuRNKQVs4f7B2vL-cD2bB8OKFhXZSg

Detection

Fingerprint requires U+1F451 👑 crown glyph AND c_user= AND xs= AND datr= cookie-name substrings. Four anchors together cannot collide with any other registered parser: the crown glyph alone rules out every system-info shape, and the three Facebook session-cookie name substrings rule out any non-Facebook artifact that happens to carry a crown emoji. During triage, treat the raw c_user, xs, and datr cookie values as exfiltrated session secrets that grant attacker-side Facebook account takeover. Family attribution is unknown: the underlying stealer that scraped the original cookie dump has not been mapped to this marketplace-listing layout in any surveyed CTI source.

MITRE ATT&CK

Related families

References