{
	"id": "5dffc325-952e-4829-98c7-a6d1d3ffbf3f",
	"created_at": "2026-04-06T00:13:55.679376Z",
	"updated_at": "2026-04-10T03:28:46.939536Z",
	"deleted_at": null,
	"sha1_hash": "21c66275d3d147acf2fc80bf694f80e8be6ea502",
	"title": "Meet BlackGuard: a new infostealer peddled on Russian hacker forums",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 191114,
	"plain_text": "Meet BlackGuard: a new infostealer peddled on Russian hacker\r\nforums\r\nBy Charlie Osborne\r\nPublished: 2022-03-31 · Archived: 2026-04-05 20:35:47 UTC\r\nResearchers have uncovered a new infostealer malware being peddled in Russian underground forums. \r\nDubbed BlackGuard, zScaler says that the new malware strain is \"sophisticated\" and has been made available to\r\ncriminal buyers for a monthly price of $200. \r\nInfostealers are forms of malware designed to harvest valuable data, potentially including operating system\r\ninformation, contact lists, screenshots, network traffic, and online account credentials including those used to\r\naccess financial services and banking. \r\nA range of malicious software and exploit kits are sold every day underground, some of which are purchased\r\noutright. In contrast, others are offered on a malware-as-a-service (MaaS) basis: subscribers pay on a weekly,\r\nmonthly, or yearly basis, and the developer keeps their malicious creations updated in return.\r\nPerhaps to build a customer base for this malware, or to generate cash quickly, BlackGuard is also being sold for\r\n$700 in return for a lifetime subscription. \r\nzScaler\r\nAccording to the cybersecurity researchers, BlackGuard can steal information, including saved browser\r\ncredentials and history, email client data, FTP accounts, autofill content, conversations in messenger software,\r\ncryptocurrency credentials, and other account information. Messengers targeted include Telegram, Signal, Tox,\r\nElement, and Discord.\r\nWhen it comes to cryptocurrency theft, the malware will target files such as wallet.dat that may contain wallet\r\naddresses and private keys. BlackGuard may also go after Chrome and Edge cryptocurrency wallet browser\r\nhttps://www.zdnet.com/article/meet-blackguard-a-new-infostealer-peddled-on-russian-hacker-forums/\r\nPage 1 of 2\n\nextensions.\r\nWritten in .NET, the infostealer is still in active development but is already equipped with a crypto-based packer,\r\nbase64 decoding, obfuscation, and antibugging capabilities to make reverse-engineering more difficult. \r\nOnce it lands on a vulnerable machine, the malware will also check the operating system's processes and will try\r\nto stop any activities related to antivirus software or sandboxing. \r\nThe infostealer is also selective when it comes to its targets. For example, the malware will exit if the OS appears\r\nto be located in a CIS country, such as Russia, Belarus, or Azerbaijan. \r\nIf an exit isn't necessary, the infostealer then grabs all of the information it can, packages it up into a .zip archive,\r\nand sends it to a command-and-control (C2) server through a POST request. \r\n\"While applications of BlackGuard are not as broad as other stealers, BlackGuard is a growing threat as it\r\ncontinues to be improved and is developing a strong reputation in the underground community,\" the researchers\r\nsay. \r\nInfostealers can be used on their own or packaged up with other forms of malware, such as Trojans or ransomware\r\nvariants. \r\nIn other malware news, researchers from Aqua Security have recently uncovered a new strain of ransomware\r\ndesigned to target Jupyter Notebook environments. \r\nPrevious and related coverage\r\nThis new ransomware targets data visualization tool Jupyter Notebook\r\nCybersecurity managers with a direct line to executive boards set the tone for investment: study\r\nGlobant admits to data breach after Lapsus$ releases source code\r\nHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0\r\nSource: https://www.zdnet.com/article/meet-blackguard-a-new-infostealer-peddled-on-russian-hacker-forums/\r\nhttps://www.zdnet.com/article/meet-blackguard-a-new-infostealer-peddled-on-russian-hacker-forums/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zdnet.com/article/meet-blackguard-a-new-infostealer-peddled-on-russian-hacker-forums/"
	],
	"report_names": [
		"meet-blackguard-a-new-infostealer-peddled-on-russian-hacker-forums"
	],
	"threat_actors": [
		{
			"id": "be5097b2-a70f-490f-8c06-250773692fae",
			"created_at": "2022-10-27T08:27:13.22631Z",
			"updated_at": "2026-04-10T02:00:05.311385Z",
			"deleted_at": null,
			"main_name": "LAPSUS$",
			"aliases": [
				"LAPSUS$",
				"DEV-0537",
				"Strawberry Tempest"
			],
			"source_name": "MITRE:LAPSUS$",
			"tools": [
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d4b9608d-af69-43bc-a08a-38167ac6306a",
			"created_at": "2023-01-06T13:46:39.335061Z",
			"updated_at": "2026-04-10T02:00:03.291149Z",
			"deleted_at": null,
			"main_name": "LAPSUS",
			"aliases": [
				"Lapsus",
				"LAPSUS$",
				"DEV-0537",
				"SLIPPY SPIDER",
				"Strawberry Tempest",
				"UNC3661"
			],
			"source_name": "MISPGALAXY:LAPSUS",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2347282d-6b88-4fbe-b816-16b156c285ac",
			"created_at": "2024-06-19T02:03:08.099397Z",
			"updated_at": "2026-04-10T02:00:03.663831Z",
			"deleted_at": null,
			"main_name": "GOLD RAINFOREST",
			"aliases": [
				"Lapsus$",
				"Slippy Spider ",
				"Strawberry Tempest "
			],
			"source_name": "Secureworks:GOLD RAINFOREST",
			"tools": [
				"Mimikatz"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b",
			"created_at": "2022-10-25T16:07:24.503878Z",
			"updated_at": "2026-04-10T02:00:05.014316Z",
			"deleted_at": null,
			"main_name": "Lapsus$",
			"aliases": [
				"DEV-0537",
				"G1004",
				"Slippy Spider",
				"Strawberry Tempest"
			],
			"source_name": "ETDA:Lapsus$",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434435,
	"ts_updated_at": 1775791726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/21c66275d3d147acf2fc80bf694f80e8be6ea502.pdf",
		"text": "https://archive.orkl.eu/21c66275d3d147acf2fc80bf694f80e8be6ea502.txt",
		"img": "https://archive.orkl.eu/21c66275d3d147acf2fc80bf694f80e8be6ea502.jpg"
	}
}