CSOttomanPanelStealer is a CyStack-coined identifier for
the Ottoman aggregator panels Information.txtshape. Ottoman, self-styled asOttoman CloudorOttoman Stealer v2.0, is a paid log-distribution service that resells stealer logs through the Telegram ecosystem. Per the operators own marketing site at
ottomancloud.github.io, the service compiles harvested
data from multiple source stealers, normalises the
output to a unified Information.txt shape, and sells
1500 to 5000 records per day across tiered subscription
plans ($75 to $600 per month).
The Ottoman panel is documented by community catalogs
(deepdarkCTI, Cyber Shafarat / Treadstone 71) but no
curated CTI vendor publishes a primary analysis of the
panel format. The operator admits Ottoman runs over
multiple source malware families (Redline, MetaStealer,
Raccoon, AuraStealer, TitanStealer, Vidar), so the
underlying family on any given victim varies. The CS
prefix marks the label as CyStack-coined; the panel
brand Ottoman and the operator support handle
@OttoSup are preserved as taxonomy fields.
Also known as: Ottoman Cloud, Ottoman Stealer, Ottoman Stealer v2.0
Variants observed: 1
Top attribution confidence: low
Operator panel brands: Ottoman
Distribution channels: @OttoSup
- Browser saved credentials, cookies, autofill
- Cryptocurrency wallet apps and browser extensions
- Session tokens for Telegram, Steam, Discord
- Documents matching the file-grabber filter list
- Browser history, bookmarks, extensions
- Credit card data stored in browsers
Fingerprint id: ottoman
Distribution channel: @OttoSup
Attribution confidence: low
Field keys:
CPU, City, Computer, Computer name, Country, GPU, HWID, IP, Installed antivirus, Internet provider, RAM, Region, Started as admin, System, System time, User name
Filenames: Information.txt, PC_info.txt, System.txt, UserInformation.txt, information.txt
Sample (sanitized):
***********************************************
* _ _ _ _ _ _ _ *
* / \ / \ / \ / \ / \ / \ / \ *
* ( O | T | T | O | M | A | N ) *
* \_/ \_/ \_/ \_/ \_/ \_/ \_/ *
* *
* Telegram : <url> *
***********************************************
рџ–ҐпёЏ User: Unknown
рџЊђ IP: Unknown
рџ“‹ OS Name: Unknown
рџЌЄ Cookies: 0
рџ”’ Passwords: 14
рџ“– History: 0
рџ“љ Bookmarks: 0
📦 Extensions: 0
рџ’і Cards: 0
рџ“Ѓ Other applications:
@OttoSup - Buy daily fresh logs
рџ’ё Crypto wallets:
No wallets found
рџ“ќ Grabbed files:
No grabbed files found
The parenthesized per-letter ASCII banner
( O | T | T | O | M | A | N ) plus the @OttoSup
operator-support handle is the strongest fingerprint.
The Telegram : invite-link row inside the ASCII frame
rotates per archive, so anchor rules should use the
banner literal and handle rather than the invite code.
When triaging logs from this family, remember the
underlying malware varies per victim, so map back to
the source stealer (Redline / Meta / Raccoon / Aura /
Titan / Vidar) from sibling files when possible.