Skip to content

Latest commit

 

History

History

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 

README.md

CSGoRuntimeStealer

CSGoRuntimeStealer is a CyStack-coined identifier for a bare 4-field system_info.txt panel observed inside !! 2025 DEC.part01.rar aggregator packs at [<CC>]<IPv4>/<operator-handle>/system_info.txt victim folders (e.g. [UN]18.88.179.21/poopbandit/system_info.txt). The body is a 5-line minimal panel: an ALL CAPS triple- equals === SYSTEM INFORMATION === section header, four flat key-value lines (User: <Computer>\<Username> / Computer: / OS: <goos> <goarch> / Directory:), and a closing triple-equals rule.

The strongest single fingerprint is the OS: value: Go binaries emit runtime.GOOS + " " + runtime.GOARCH which produces strings like windows amd64, linux 386, or darwin arm64. The bare lowercase two-token shape does not appear in any other surveyed stealer-builder runtime: .NET emits Microsoft Windows <version>, Python emits Windows-<release>-<build>, Lumma emits Windows <version> <edition> (<build>). The Go runtime shape is the panel`s clearest builder-attribution signal.

The User: line carries a <Computer>\<Username> backslash-separated identity (the panels preferred shape over os/user.Current().Usernamewhich would return just the username on Unix). TheDirectory: line carries the malwares execution path; the observed sample ran out of %TEMP%. The path-side <operator-handle>/ segment between the victim folder and the system_info.txt file exposes the operators panel-side identifier (poopbanditin the observed sample); the parser routes this throughmalware.distribution_channel` so the operator handle travels with the IOC.

A two-vendor curated CTI survey and the public stealer- format catalogues do not document a family that emits exactly this minimal Go-runtime panel shape. The poopbandit operator handle is unattested. Family attribution is provisional pending a curated CTI mapping.

Also known as: Go-runtime minimal stealer panel, poopbandit Information.txt

Variants observed: 1 Top attribution confidence: unknown Distribution channels: poopbandit

Targets

  • Victim hostname (Computer: field plus the backslash half of the User: line)
  • Victim account shortname (User: line)
  • Operating system / architecture (OS: line via Go runtime values)
  • Malware execution directory (Directory: line)

Variants

cystack_68b1c634

Distribution channel: poopbandit

Attribution confidence: unknown

Field keys: Computer, Directory, OS, User

Filenames: system_info.txt

Sample (sanitized):

=== SYSTEM INFORMATION ===
User: JOHN-PC\John
Computer: JOHN-PC
OS: windows amd64
Directory: C:\Users\<user>\AppData\Local\Temp
========================

Detection

Fingerprint requires === SYSTEM INFORMATION === (ALL CAPS) AND a Directory: field AND an OS: line matching the Go-runtime <goos> <goarch> two-lowercase-token shape PLUS absence of === ENVIRONMENT VARIABLES === (rules out CSEnvVarDumpStealer). The Go-runtime OS: shape is the panels strongest single signal: no other surveyed stealer-builder runtime emits the OS field in this exact form. During triage, the path-side /segment (between the[]/victim folder and thesystem_info.txt file) carries the operators panel- side identifier; cluster IOCs by handle to track distribution.

MITRE ATT&CK

Related families

References