CSStealerCloudUserInfoStealer is a CyStack-coined
identifier for the STEALERCLOUD brokers UserInformation.txtshape: three flush-leftKey: Value identity lines at the top (Keyboard
Language:, Display Resolution:, an @stealerboss - Buy daily fresh logs:operator banner with a wallpaper-name value), then a centeredIP GEOLOCATION DATA ASCII section header, then six geo fields (IP Address:, Country: (), Region:, City:, Postal Code:, Timezone:
()). The IP Address:` slot
accepts both IPv4 and IPv6.
Same broker as CSHardwareTailStealer: the STEALERCLOUD
aggregator pack splits the victim summary across two
files, with the YAML hardware tail in Info.txt and
the locale plus geo identity in UserInformation.txt.
The @STEALERBOSS Telegram channel handle is the
distribution channel. No surveyed CTI vendor attributes
either file shape to a specific source-stealer family,
so attribution is provisional pending a curated CTI
report.
Variants observed: 1
Top attribution confidence: low
Operator panel brands: STEALERCLOUD
Distribution channels: @STEALERBOSS
- Browser saved credentials and cookies (sibling files in the same victim folder; this file is identity / locale / geo only)
- Victim locale (keyboard language, display resolution)
- Victim geo (country, region, city, postal code, timezone) plus IPv4 / IPv6 address
Fingerprint id: stealercloud
Distribution channel: @STEALERBOSS
Attribution confidence: low
Field keys:
City, Country, Display Resolution, IP Address, Keyboard Language, Postal Code, Region, Timezone
Filenames: UserInformation.txt
Sample (sanitized):
Keyboard Language: English
Display Resolution: 2560x1440
@stealerboss - Buy daily fresh logs: no_wallpaper
IP GEOLOCATION DATA
IP Address: <redacted>
Country: United States (US)
Region: South Carolina
City: <redacted>
Postal Code: <redacted>
Timezone: America/Adak (UTC)
The two-anchor fingerprint @stealerboss - Buy daily fresh logs: operator-handle banner plus the centered
IP GEOLOCATION DATA section header is the cleanest
panel signal. The IPv6 capability in the IP Address:
slot is unusual across stealer panels (most ship IPv4
only via ip-api.com-shaped lookups). Pair with
CSHardwareTailStealer hardware-tail Info.txt files in
the same victim folder for the full per-victim summary.
- T1082 System Information Discovery
- T1016 System Network Configuration Discovery
- T1033 System Owner/User Discovery
- T1005 Data from Local System
- @STEALERBOSS