CSGoRuntimeStealer is a CyStack-coined identifier for a
bare 4-field system_info.txt panel observed inside
!! 2025 DEC.part01.rar aggregator packs at
[<CC>]<IPv4>/<operator-handle>/system_info.txt victim
folders (e.g. [UN]18.88.179.21/poopbandit/system_info.txt).
The body is a 5-line minimal panel: an ALL CAPS triple-
equals === SYSTEM INFORMATION === section header, four
flat key-value lines (User: <Computer>\<Username> /
Computer: / OS: <goos> <goarch> / Directory:), and
a closing triple-equals rule.
The strongest single fingerprint is the OS: value: Go
binaries emit runtime.GOOS + " " + runtime.GOARCH
which produces strings like windows amd64, linux 386,
or darwin arm64. The bare lowercase two-token shape
does not appear in any other surveyed stealer-builder
runtime: .NET emits Microsoft Windows <version>,
Python emits Windows-<release>-<build>, Lumma emits
Windows <version> <edition> (<build>). The Go runtime
shape is the panel`s clearest builder-attribution signal.
The User: line carries a <Computer>\<Username>
backslash-separated identity (the panels preferred shape over os/user.Current().Usernamewhich would return just the username on Unix). TheDirectory: line carries the malwares execution path; the observed
sample ran out of %TEMP%. The path-side
<operator-handle>/ segment between the victim folder
and the system_info.txt file exposes the operators panel-side identifier (poopbanditin the observed sample); the parser routes this throughmalware.distribution_channel` so the operator handle
travels with the IOC.
A two-vendor curated CTI survey and the public stealer-
format catalogues do not document a family that emits
exactly this minimal Go-runtime panel shape. The
poopbandit operator handle is unattested. Family
attribution is provisional pending a curated CTI mapping.
Also known as: Go-runtime minimal stealer panel, poopbandit Information.txt
Variants observed: 1
Top attribution confidence: unknown
Distribution channels: poopbandit
- Victim hostname (
Computer:field plus the backslash half of theUser:line) - Victim account shortname (
User:line) - Operating system / architecture (
OS:line via Go runtime values) - Malware execution directory (
Directory:line)
Distribution channel: poopbandit
Attribution confidence: unknown
Field keys:
Computer, Directory, OS, User
Filenames: system_info.txt
Sample (sanitized):
=== SYSTEM INFORMATION ===
User: JOHN-PC\John
Computer: JOHN-PC
OS: windows amd64
Directory: C:\Users\<user>\AppData\Local\Temp
========================
Fingerprint requires === SYSTEM INFORMATION === (ALL
CAPS) AND a Directory: field AND an OS: line matching
the Go-runtime <goos> <goarch> two-lowercase-token
shape PLUS absence of === ENVIRONMENT VARIABLES ===
(rules out CSEnvVarDumpStealer). The Go-runtime
OS: shape is the panels strongest single signal: no other surveyed stealer-builder runtime emits the OS field in this exact form. During triage, the path-side /segment (between the[]/victim folder and thesystem_info.txt file) carries the operators panel-
side identifier; cluster IOCs by handle to track
distribution.