{ "id": "2ade8176-383f-4553-bc97-ed02e2592400", "created_at": "2026-04-06T01:31:42.295471Z", "updated_at": "2026-04-10T03:37:08.966703Z", "deleted_at": null, "sha1_hash": "3ccc4b612908cf035dbb913e3a2572026305df7d", "title": "BlackGuard Infostealer Malware: Dissecting the State of Exfiltrated Data", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 17819419, "plain_text": "BlackGuard Infostealer Malware: Dissecting the State of\r\nExfiltrated Data\r\nBy Authors \u0026 Contributors\r\nArchived: 2026-04-06 00:13:40 UTC\r\nOverview\r\nBlackguard Infostealer is a malware strain that was first discovered infecting Windows devices at the start of\r\n2022. Other security researchers have already documented how the malware operates and its dissemination via\r\nunderground Russian crimeware forums.1This article aims to expand on existing research by exploring its data\r\nexfiltration capabilities in greater detail. Blackguard is designed to steal a wide range of personal data, including\r\ncredentials, cookies, messaging history, browsing history, cryptocurrency wallet information, and screenshots\r\nfrom the infected machine. By understanding what types of data attackers want, we can better understand the\r\nvalue Blackguard offers its authors and writers, and therefore how malware fits into the broader cybercrime\r\necosystem.\r\nAttackers distribute Blackguard using a variety of techniques, including drive-by downloads and phishing emails\r\ncontaining malicious attachments. Once Blackguard Infostealer has infected a victim’s device, it initiates\r\ntechniques such as system Application Programming Interface (API) hooking, Dynamic Link Library (DLL )\r\ninjection and resource hijacking to steal credentials from browsers, messenger clients, and other client-side\r\nsoftware. The stolen data is compressed and exfiltrated in the same HTTP-based communication channel that the\r\nattackers use for command and control (C\u0026C). The exfiltrated credentials are stored on the C\u0026C server and then\r\nused to conduct additional attacks such as credential stuffing, account creation, and online fraud.\r\nAnalysis\r\nIn our research of BlackGuard Infostealer we identified an exposed command and control (C\u0026C) administrator\r\npanel (Figure 1) and analyzed the stolen data stored within.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data\r\nPage 1 of 12\n\nFigure 1. Blackguard malware administrative panel.\r\nDuring active and passive analysis of the BlackGuard C\u0026C panel, we found that the malware records\r\ngeographical information from the compromised systems, indicating that BlackGuard is used to target victims all\r\naround the world. Figure 2highlights a snippet of exposed zipped files containing stolen data from compromised\r\nsystems showing data stolen from users in Sweden, Switzerland, the UK, and the United States.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data\r\nPage 2 of 12\n\nFigure 2. Data exfiltrated by blackguard and stored in a compressed format.\r\nWe analyzed these compressed files to understand the potential storage constructs used. Since there was a risk that\r\nthese compressed files could contain malware as well, the files were decompressed into ephemeral virtual\r\nmachines and subsequently destroyed. BlackGuard Infostealer stores the stolen data in a specific layout, as\r\nhighlighted in Figure 3.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data\r\nPage 3 of 12\n\nFigure 3. Directory structure used for storing stolen data.\r\nThe rest of the article will detail each of the major types of stolen data to examine what is stolen, how it is\r\ncollected, and the impact of the theft.\r\nExfiltrating Credentials\r\nhttps://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data\r\nPage 4 of 12\n\nStolen credentials, obtained by malware infections or website hacks, are often used by attackers for a number of\r\npurposes. These may include:\r\n1. Being sold in the underground community as part of crimeware services to earn money and enable\r\nadditional adversaries to use the exfiltrated data.\r\n2. Using the stolen credentials to target applications using credential stuffing attacks to gain access as the\r\ncompromised users.\r\n3. Conducting online fraud by impersonating victims and purchasing gift cards or performing financial\r\ntransfers.\r\n4. Launching malware distribution attacks from the compromised accounts.\r\nFigure 4 shows the variety of credentials stolen by BlackGuard, including usernames and passwords from online\r\necommerce sites, email services, and even internal/intranet sites.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data\r\nPage 5 of 12\n\nFigure 4. Stolen usernames and passwords from compromised system.\r\nThe stolen credentials are stored in a “password.txt” file on the C\u0026C server which contains the usernames,\r\npasswords, and associated URLs.\r\nSession Cookies\r\nWeb servers often use cookies to store session state; that is to say, they signal to the server that a user has already\r\nsuccessful authenticated to the system. Stealing session cookies allows attackers to conduct session hijacking,\r\nallowing them to interact with the web server as the victim without ever having to provide credentials. Once that\r\nis accomplished, the attackers can inject malicious code into various web resources specific to the user account\r\nhttps://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data\r\nPage 6 of 12\n\nand injected code can be distributed to large sets of users by sharing tampered resources. BlackGuard Infostealer\r\nexfiltrates web session cookies from browsers such as Google Chrome, Microsoft Edge, Mozilla Firefox, and\r\nApple’s Safari. Figure 5, shows how Blackguard Infostealer stores stolen cookies from the Chrome browser. The\r\nlog file “Cookies_Chrome2.txt” contains the session cookie details along with the session key and the associated\r\nwebsite.\r\nFigure 5 Stolen cookies and session data from a compromised system.\r\nBrowsing History\r\nA user’s web browsing history provides useful information to attackers by showing the websites a victim will visit\r\nand their browsing preferences.2 This information enables attackers to build a profile of the victim based on their\r\nbehavior which allows them to conduct additional attacks, such as spear phishing emails based on the victim’s\r\nfavorite sites. For this reason, BlackGuard steals and scrapes browser history from compromised systems. Figure\r\n6 shows one such real-world example.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data\r\nPage 7 of 12\n\nFigure 6. Stolen history details from the compromised system.\r\nAs you can see in Figure 6, the browsing history reveals a lot about the user's preferences. Blackguard Infostealer\r\nlogs the history data from the browser and stores the collected data in the “History.txt” file. The file also contains\r\na counter highlighting the number of times the user has visited a specific website.\r\nCapturing Screenshots\r\nBlackGuard Infostealer also captures screenshots from compromised systems at regular intervals. Screenshots of a\r\nuser interacting with the system is common tactic used by attackers since they can reveal sensitive information\r\nabout the user and present state of the system. This can result in personal information leakage, including\r\naddresses, credit card numbers, passwords, and more. One such example is presented in Figure 7 highlighting the\r\nuser’s actions and their installed applications.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data\r\nPage 8 of 12\n\nFigure 7. Screenshot of the desktop from the compromised systems.\r\nCrypto Wallets\r\nPerhaps Blackguard Infostealer’s most immediately impactful functionality is the ability to steal information from\r\ncrypto wallets on infected systems. The malware scans the compromised system looking for crypto wallets for\r\nBitcoinCore, DashCore, Electrum, Ethereum, LitecoinCore, Exodus, and others. Before exfiltration, BlackGuard\r\nInfostealer creates a folder named “Wallets” to store the wallet information, and the complete “Wallets” folder is\r\nthen compressed into a single zip file. Figure 8 shows an example of a stolen crypto wallet account (authentication\r\ntokens) from a compromised system.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data\r\nPage 9 of 12\n\nFigure 8. Stolen wallets data from a compromised system.\r\nIn Figure 8, we can see that BlackGuard Infostealer stole information about an Exodus crypto wallet and a Google\r\nChrome wallet from the compromised system. Exodus provides desktop, mobile, and hardware-specific wallets\r\nthat secure and manage cryptocurrency for the user.\r\n3\r\n BlackGuard Infostealer steals crypto information from all the\r\nactive wallets on the compromised system. In the example, the “passphrase.json” file was extracted from the\r\ncompromised system which reveals the passphrase that can be used to recover the Exodus wallet. In addition, the\r\nassociated log files contain configuration-related information and other files containing transaction-specific\r\ndetails.\r\nMessaging Application Tokens and Logs\r\nBlackguard can also steal information from various messaging applications on the compromised system. Targeted\r\napplications include Telegram and Discord. The malware creates associated directories with the same name as the\r\nmessaging application to hold the stolen data and then exfiltrates this data. Figure 9 highlights a directory\r\nstructure of the stolen Discord data.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data\r\nPage 10 of 12\n\nFigure 9. Stolen Discord data from a compromised system.\r\nNote that the “Tokens.txt” file contains a long string of alphanumeric characters. Discord generates this token\r\nwhen the user logs into the Discord server and uses it as an authorization code which is passed by the Discord\r\nclient application to the server. BlackGuard Infostealer steals the authorization token which is then used to log into\r\nthe victim’s Discord account. In addition, the malware acquires all many other Discord files from the system,\r\nincluding logs, and local application database entries. Similarly, Figure 10 shows how the Telegram messaging\r\napplication data is exfiltrated and stored on the C\u0026C server.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data\r\nPage 11 of 12\n\nFigure 10. Stolen Telegram data from a compromised system.\r\nConclusion\r\nBlackGuard Infostealer is a powerful crimeware tool designed to steal the widest possible variety of personal data\r\nfrom a victim’s device. The combination of stolen account credentials, cryptocurrency wallet information, session\r\ncookies, screenshots and messaging history indicates that the authors probably want to keep their options open in\r\nterms of monetizing the stolen data. In mid-June F5 Labs published Dor Nizar’s analysis of the Malibot Android\r\nmalware, which also had the capability to exfiltrate a wide range of options and data types.\r\nThese new malware strains stand in contrast to more specific forms of malware such as banking trojans, which\r\ntend to focus not just on a specific type of data, but on a specific set of banks (see, for example, the list of targets\r\nfor Qbot). This raises questions about changing dynamics in the market for stolen data and monetization options\r\nfor attackers. In the meantime, however, there can be no question that Blackguard Infostealer is not just a potent\r\ntool for cybercriminals, but also a quite versatile one. The implication is that defenders of all types need to\r\nunderstand its capabilities and how to detect it in order to manage the risk it presents.\r\nSource: https://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data\r\nhttps://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data" ], "report_names": [ "blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439102, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3ccc4b612908cf035dbb913e3a2572026305df7d.pdf", "text": "https://archive.orkl.eu/3ccc4b612908cf035dbb913e3a2572026305df7d.txt", "img": "https://archive.orkl.eu/3ccc4b612908cf035dbb913e3a2572026305df7d.jpg" } }