CSMainLootStealer is a CyStack-coined identifier for a
Telegram-bot-notification Information.txt panel with a
✨ New Log Received ✨ sparkle-bracketed banner. The body
ships a 💻 User: <user>@<host> victim-identity line, a
🌍 IP: placeholder, two captioned sections
(📊 Main Loot: for passwords / cookies / wallets,
📦 Additional Data: for messengers / games / servers /
grabbers), each carrying per-category emoji-prefixed
count lines, and a Support: @VerifiedThief admin
contact footer. Observed inside !! 2025 NOV.part001.rar
BRADMAX aggregator packs at
[<TAG>]@BRADLOGS (BRADMAX) (<NN>)/Information.txt
victim folders.
A single community-CTI source (cti.monster, March 2026) hints at Hexo Stealer attribution for the sparkle-banner + Main Loot + Additional Data notification shape, but the article is paywalled and could not be fetched verbatim. Cyfirma's Hexon Stealer report documents a related (but distinct) rebrand of Stealit Stealer without publishing the exact notification format. With one unverifiable community source and no curated CTI vendor confirmation, family attribution stays CyStack-coined.
Also known as: BRADMAX sparkle-banner notification panel, @VerifiedThief Telegram-bot Main Loot / Additional Data log
Variants observed: 2
Top attribution confidence: low
Distribution channels: @VerifiedThief, @aesxor
- Browser-saved credentials (count flag on
🔑 Passwords:) - Browser cookies (count flag on
🍪 Cookies:) - Cryptocurrency wallets (count flag on
💰 Wallets:) - Messenger sessions (count flag on
💬 Messengers:) - Game launcher credentials (count flag on
🎮 Games:) - Server / FTP / SSH credentials (count flag on
🗄️ Servers:) - Grabbed files (count flag on
🎣 Grabbers:) - Combined OS username + hostname (user@host on the
💻 User:line)
Distribution channel: @VerifiedThief
Attribution confidence: low
Field keys:
Support
Filenames: Information.txt
Sample (sanitized):
✨ New Log Received ✨
💻 User: hifgf@YEJON-DESKTOP
🌍 IP: N/A (check System.txt)
📊 Main Loot:
🔑 Passwords: 0
🍪 Cookies: 0
💰 Wallets: 0
📦 Additional Data:
💬 Messengers: 1
🎮 Games: 10
🗄️ Servers: 1
🎣 Grabbers: 3
Support: @VerifiedThief
Distribution channel: @aesxor
Attribution confidence: low
Filenames: Information.txt
Sample (sanitized):
✨ New Log Received ✨
💻 User: Shiva@AK_MALHOTRA
🌍 IP: <ip>
📊 Main Loot:
🔑 Passwords: 125
🍪 Cookies: 3035
💰 Wallets: 0
📦 Additional Data:
💬 Messengers: 2
🎮 Games: 7
🗄️ Servers: 1
🎣 Grabbers: 43
👨💻 Developer: @aesxor
Fingerprint requires New Log Received substring AND
Main Loot: substring AND Additional Data: substring
AND @VerifiedThief substring. The four-anchor combo
is unique across the registry: the Main Loot: and
Additional Data: section-caption pair is the panel-side
developer quirk, and the @VerifiedThief admin handle is
unique to this distribution. During triage, treat this
label as a panel-side notification view (counts only):
the actual harvested credentials live in sibling files
the operator's archive (browser-data folders, cookie
dumps, etc.) rather than in this notification body. The
underlying stealer family is unknown; the Hexo Stealer
attribution from cti.monster is provisional pending
curated-CTI confirmation.