Skip to content

Latest commit

 

History

History

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 

README.md

CSGADSPanelStealer

CSGADSPanelStealer is a CyStack-coined identifier for a compact five-line Information.txt panel summary observed inside !! 2026 JAN.part01.rar-style aggregator packs in [CC]<IPv4>/Information.txt victim folders. The body lists IP, Country (flag emoji + ISO code + country name), User, AntiVirus, and a Browser Data: count line in pipe-separated PXA-style notation: CK:<n>|PW:<n>|AF:<n>|CC:<n>|FB:<n>|GADS:<bool>. No HWID, hostname, OS, or hardware inventory accompanies the summary, so the panel is a victim-side fingerprint view rather than a full system-info export.

The CK|PW|AF|CC|FB count abbreviations are documented by SentinelOne Labs and Beazley Security as the PXA Stealer data-tracker format in the Ghost in the Zip joint research, and the [CC]<IP> folder convention matches the PXA panel exfiltration shape ([CC_IPADDRESS]_HOSTNAME.zip). The attribution is suggestive but not definitive: PXA's documented victim-side system_info.txt uses a verbose Vietnamese-headered Thông tin hệ thống block of WMI snake_case keys (claimed by PXAParser), and the trailing GADS (Google Ads account flag) column plus the bare AntiVirus: line are not described in any surveyed curated CTI source. The format may be a panel-summary view from a PXA log-ingest pipeline or an unrelated Telegram aggregator that adopted the PXA count notation.

Family attribution is provisional pending a published threat-intel mapping for this exact panel-summary layout.

Also known as: !! 2026 JAN aggregator panel summary

Variants observed: 8 Top attribution confidence: unknown

Targets

  • Browser saved credentials, cookies, autofill (counts only)
  • Credit-card data (count flag)
  • Facebook session cookies (count flag)
  • Google Ads account presence flag

Variants

cystack_01e16bb3

Attribution confidence: unknown

Field keys: Browser Data, Country, IP, User

Filenames: Information.txt

Sample (sanitized):

IP: <redacted>
Country: IN - India
User: HP
Browser Data: CK: 111|PW: 116|AF: 1067|CC: 0

cystack_0bc18c67

Attribution confidence: unknown

Field keys: AntiVirus, Browser Data, User

Filenames: Information.txt

Sample (sanitized):

    IP: <redacted>
User: LENOVO
AntiVirus: Windows Defender
Browser Data: CK:3972|PW:210|AF:5243|CC:0|FB:0|GADS:False

cystack_17af0602

Attribution confidence: unknown

Field keys: AntiVirus, Browser Data, Country, Ip, User

Filenames: Information.txt

Sample (sanitized):

Ip: <redacted>
Country: 🇩🇿 DZ - Algeria
User: hp
AntiVirus: Kaspersky Total Security, Windows Defender
Browser Data: CK:4614|PW:3|AF:9|CC:0|FB:1|GADS:False

cystack_2ba34ed5

Attribution confidence: unknown

Field keys: AntiVirus, Browser Data, Country, User

Filenames: Information.txt

Sample (sanitized):

    IP: <redacted>
Country: 🇦🇴 AO - Angola
User: ATT
AntiVirus: Windows Defender
Browser Data: CK:3242|PW:30|AF:122|CC:0|FB:2|GADS:False

cystack_7c0940cc

Attribution confidence: unknown

Field keys: Browser Data, Country, User

Filenames: Information.txt

Sample (sanitized):

    IP: <redacted>
Country: IN - India
User: HP
Browser Data: CK: 108|PW: 116|AF: 1017|CC: 0

cystack_8479d801

Attribution confidence: unknown

Field keys: AntiVirus, Browser Data, IP, User

Filenames: Information.txt

Sample (sanitized):

IP: <redacted>
User: WISEDON COMPUTERS EN
AntiVirus: Windows Defender
Browser Data: CK:18469|PW:69|AF:745|CC:0|FB:52|GADS:False

cystack_b723275e

Attribution confidence: unknown

Field keys: Antivirus, Browser Data, Country, IP, RuntimeExecption, User

Filenames: Information.txt

Sample (sanitized):

NguyenBang Stealer
IP: <redacted>
Country: EG - Egypt
User: Dr Mahmoud Sabry
Antivirus: Windows Defender
Browser Data: CK: 262|PW: 14|AF: 31|CC: 0
RuntimeExecption: 0

cystack_e76892c4

Attribution confidence: unknown

Field keys: AntiVirus, Browser Data, Country, IP, User

Filenames: Information.txt

Sample (sanitized):

IP: <redacted>
Country: 🇧🇩 BD - Bangladesh
User: hp
AntiVirus: Windows Defender
Browser Data: CK:3325|PW:43|AF:416|CC:0|FB:2|GADS:False

Detection

Fingerprint requires line-anchored IP:, Country:, User:, AntiVirus: keys plus the Browser Data: CK: substring and the |GADS: substring. The |GADS: token is the disambiguator: PXA Stealer Telegram bot captions use the same pipe-separated count notation but extend it with Sites|Wallets|Apps columns rather than a GADS flag. During triage, treat the family attribution as unknown - the underlying stealer cannot be identified from the panel summary alone, and the per-victim folder is missing the harvested credential bodies that would allow follow-on family fingerprinting.

MITRE ATT&CK

Related families

References