CSGADSPanelStealer is a CyStack-coined identifier for a
compact five-line Information.txt panel summary observed
inside !! 2026 JAN.part01.rar-style aggregator packs in
[CC]<IPv4>/Information.txt victim folders. The body lists
IP, Country (flag emoji + ISO code + country name), User,
AntiVirus, and a Browser Data: count line in pipe-separated
PXA-style notation: CK:<n>|PW:<n>|AF:<n>|CC:<n>|FB:<n>|GADS:<bool>.
No HWID, hostname, OS, or hardware inventory accompanies
the summary, so the panel is a victim-side fingerprint view
rather than a full system-info export.
The CK|PW|AF|CC|FB count abbreviations are documented by
SentinelOne Labs and Beazley Security as the PXA Stealer
data-tracker format in the Ghost in the Zip joint research,
and the [CC]<IP> folder convention matches the PXA panel
exfiltration shape ([CC_IPADDRESS]_HOSTNAME.zip). The
attribution is suggestive but not definitive: PXA's
documented victim-side system_info.txt uses a verbose
Vietnamese-headered Thông tin hệ thống block of WMI
snake_case keys (claimed by PXAParser), and the trailing
GADS (Google Ads account flag) column plus the bare
AntiVirus: line are not described in any surveyed curated
CTI source. The format may be a panel-summary view from a
PXA log-ingest pipeline or an unrelated Telegram aggregator
that adopted the PXA count notation.
Family attribution is provisional pending a published threat-intel mapping for this exact panel-summary layout.
Also known as: !! 2026 JAN aggregator panel summary
Variants observed: 8
Top attribution confidence: unknown
- Browser saved credentials, cookies, autofill (counts only)
- Credit-card data (count flag)
- Facebook session cookies (count flag)
- Google Ads account presence flag
Attribution confidence: unknown
Field keys:
Browser Data, Country, IP, User
Filenames: Information.txt
Sample (sanitized):
IP: <redacted>
Country: IN - India
User: HP
Browser Data: CK: 111|PW: 116|AF: 1067|CC: 0
Attribution confidence: unknown
Field keys:
AntiVirus, Browser Data, User
Filenames: Information.txt
Sample (sanitized):
IP: <redacted>
User: LENOVO
AntiVirus: Windows Defender
Browser Data: CK:3972|PW:210|AF:5243|CC:0|FB:0|GADS:False
Attribution confidence: unknown
Field keys:
AntiVirus, Browser Data, Country, Ip, User
Filenames: Information.txt
Sample (sanitized):
Ip: <redacted>
Country: 🇩🇿 DZ - Algeria
User: hp
AntiVirus: Kaspersky Total Security, Windows Defender
Browser Data: CK:4614|PW:3|AF:9|CC:0|FB:1|GADS:False
Attribution confidence: unknown
Field keys:
AntiVirus, Browser Data, Country, User
Filenames: Information.txt
Sample (sanitized):
IP: <redacted>
Country: 🇦🇴 AO - Angola
User: ATT
AntiVirus: Windows Defender
Browser Data: CK:3242|PW:30|AF:122|CC:0|FB:2|GADS:False
Attribution confidence: unknown
Field keys:
Browser Data, Country, User
Filenames: Information.txt
Sample (sanitized):
IP: <redacted>
Country: IN - India
User: HP
Browser Data: CK: 108|PW: 116|AF: 1017|CC: 0
Attribution confidence: unknown
Field keys:
AntiVirus, Browser Data, IP, User
Filenames: Information.txt
Sample (sanitized):
IP: <redacted>
User: WISEDON COMPUTERS EN
AntiVirus: Windows Defender
Browser Data: CK:18469|PW:69|AF:745|CC:0|FB:52|GADS:False
Attribution confidence: unknown
Field keys:
Antivirus, Browser Data, Country, IP, RuntimeExecption, User
Filenames: Information.txt
Sample (sanitized):
NguyenBang Stealer
IP: <redacted>
Country: EG - Egypt
User: Dr Mahmoud Sabry
Antivirus: Windows Defender
Browser Data: CK: 262|PW: 14|AF: 31|CC: 0
RuntimeExecption: 0
Attribution confidence: unknown
Field keys:
AntiVirus, Browser Data, Country, IP, User
Filenames: Information.txt
Sample (sanitized):
IP: <redacted>
Country: 🇧🇩 BD - Bangladesh
User: hp
AntiVirus: Windows Defender
Browser Data: CK:3325|PW:43|AF:416|CC:0|FB:2|GADS:False
Fingerprint requires line-anchored IP:, Country:,
User:, AntiVirus: keys plus the Browser Data: CK:
substring and the |GADS: substring. The |GADS: token
is the disambiguator: PXA Stealer Telegram bot captions
use the same pipe-separated count notation but extend it
with Sites|Wallets|Apps columns rather than a GADS
flag. During triage, treat the family attribution as
unknown - the underlying stealer cannot be identified
from the panel summary alone, and the per-victim folder
is missing the harvested credential bodies that would
allow follow-on family fingerprinting.