{
	"id": "99855a25-e3fa-4d9c-96cb-6be455217e02",
	"created_at": "2026-04-06T00:06:56.052137Z",
	"updated_at": "2026-04-10T03:20:47.722789Z",
	"deleted_at": null,
	"sha1_hash": "1dc78179f3ffadf770fb4bfb32a14b4739e2a877",
	"title": "Experts Shed Light on BlackGuard Infostealer Malware Sold on Russian Hacking Forums",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 377826,
	"plain_text": "Experts Shed Light on BlackGuard Infostealer Malware Sold on\r\nRussian Hacking Forums\r\nBy The Hacker News\r\nPublished: 2022-04-04 · Archived: 2026-04-05 13:37:07 UTC\r\nA previously undocumented \"sophisticated\" information-stealing malware named BlackGuard is being advertised\r\nfor sale on Russian underground forums for a monthly subscription of $200.\r\n\"BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP\r\ncredentials, saved browser credentials, and email clients,\" Zscaler ThreatLabz researchers Mitesh Wani and\r\nKaivalya Khursale said in a report published last week.\r\nAlso sold for a lifetime price of $700, BlackGuard is designed as a .NET-based malware that's actively under\r\ndevelopment, boasting of a number of anti-analysis, anti-debugging, and anti-evasion features that allows it to kill\r\nprocesses related to antivirus engines and bypass string-based detection.\r\nWhat's more, it checks the IP address of the infected devices by sending a request to the domain\r\n\"https://ipwhois[.]app/xml/,\" and exit itself if the country is one among the Commonwealth of Independent States\r\n(CIS).\r\nhttps://thehackernews.com/2022/04/experts-shed-light-on-blackguard.html\r\nPage 1 of 3\n\nBlackGuard's extensive functionality means it can amass information stored in browsers, such as passwords,\r\ncookies, autofill data, browsing history, 17 different cold cryptocurrency wallets, and as many as six messaging\r\napps, including Telegram, Signal, Tox, Element, Pidgin, and Discord.\r\nIn addition, the malware targets 21 crypto wallet extensions installed in Chrome and Edge browsers, and three\r\nVPN apps NordVPN, OpenVPN, and ProtonVPN, the results of which are subsequently compressed into a ZIP\r\narchive and exfiltrated to a remote server.\r\nThe findings come as Morphisec disclosed details of another infostealer family called Mars that's been observed\r\nleveraging fraudulent Google Ads for well-known software like OpenOffice to distribute the malware.\r\n\"While applications of BlackGuard are not as broad as other stealers, BlackGuard is a growing threat as it\r\ncontinues to be improved and is developing a strong reputation in the underground community,\" the researchers\r\nsaid.\r\nhttps://thehackernews.com/2022/04/experts-shed-light-on-blackguard.html\r\nPage 2 of 3\n\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/04/experts-shed-light-on-blackguard.html\r\nhttps://thehackernews.com/2022/04/experts-shed-light-on-blackguard.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://thehackernews.com/2022/04/experts-shed-light-on-blackguard.html"
	],
	"report_names": [
		"experts-shed-light-on-blackguard.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434016,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1dc78179f3ffadf770fb4bfb32a14b4739e2a877.pdf",
		"text": "https://archive.orkl.eu/1dc78179f3ffadf770fb4bfb32a14b4739e2a877.txt",
		"img": "https://archive.orkl.eu/1dc78179f3ffadf770fb4bfb32a14b4739e2a877.jpg"
	}
}