{ "id": "b3014b17-ca04-41ab-bdfe-aaf76ac01c44", "created_at": "2026-04-06T00:12:19.23961Z", "updated_at": "2026-04-10T03:37:09.14193Z", "deleted_at": null, "sha1_hash": "3f97ebe30257d6de710b9bb00be20e0406ec6330", "title": "BlueFox Stealer: a newcomer designed for traffers teams", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 297876, "plain_text": "BlueFox Stealer: a newcomer designed for traffers teams\r\nBy Quentin Bourgue\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2022-11-02 · Archived: 2026-04-05 19:23:31 UTC\r\nThis blog post on BlueFox Stealer is an extract of the “FLINT 2022-053 – BlueFox Stealer: a newcomer\r\ndesigned for traffers teams” report (Sekoia.io Flash Intelligence) sent to our clients on October 20, 2022.\r\nTable of contents\r\nIntroduction\r\nThe emergence of BlueFox Stealer on forums\r\nAnother stealer designed for traffers teams\r\nA look at distamx’s business\r\nTechnical overview of BlueFox Stealer\r\nMalware sample association\r\nMalware capabilities\r\nConclusion\r\nTechnical Details \u0026 IoCs\r\nMITRE ATT\u0026CK TTPs\r\nExternal References\r\nIntroduction\r\nIn 2022, information stealers are one of the most challenging threats for both companies and individuals.\r\nCybercriminal threat actors distribute these malware to steal sensitive information from infected hosts, which are\r\nthen sold on underground marketplaces, exploited for fraud (Business Email Compromise, E-Shop, Bank,\r\nCryptocurrency theft), or leveraged in “Big Game Hunting” operations.\r\nMalware developers take advantage of a growing demand for MaaS (Malware-as-a-Service) within the cybercrime\r\necosystem to sell their newly implemented or rebranded information stealers. They use various underground\r\nforums, as well as Telegram channels to advertise, manage financial transactions, and offer technical support.\r\nSekoia.io monitor cybercrime forums to discover emerging malware, among other threats.\r\nIn early September 2022, through our Dark Web monitoring routine we identified a newly advertised malware\r\ndubbed BlueFox Stealer v2, and sold as a MaaS. Based on the ads promoting it, the BlueFox developer\r\nimplemented a stealer tailored to the needs of traffers teams (including wide stealing capabilities, performance,\r\nefficiency, adapted to traffers context).\r\nBased on this information, Sekoia.io assess that BlueFox Stealer is possibly to be added to the malware arsenal\r\nof traffers teams, similarly to Redline, Vidar, Raccoon Stealer v2, Aurora Stealer or Erbium Stealer, to be\r\nhttps://blog.sekoia.io/bluefox-information-stealer-traffer-maas/\r\nPage 1 of 8\n\ndistributed at a large scale. This FLINT goes back to the emergence of BlueFox on cybercrime forums and\r\npresents a technical overview of it.\r\nThe emergence of BlueFox Stealer on forums\r\nAnother stealer designed for traffers teams\r\nBlueFox Stealer’s first version appeared on Russian-speaking underground forums (XSS, BHF and DarkNet\r\nforums) in December 2021, and it was advertised by a threat actor going by the handle distamx. The lack of\r\ninteractions on its publications may suggest that the project did not work as expected, for unknown reasons.\r\nOn 2 September 2022, the user distamx published a new post announcing version 2 of BlueFox Stealer on the XSS\r\nforum. This time, the publication resulted in more activity, including technical and business inquiries, positive\r\nfeedback, as well as the release and changelogs of multiple updates (versions 2.0.4 to 2.0.7) by the alleged\r\ndeveloper.\r\nFigure 1. Changelog of the BlueFox Stealer version 2.0.7 published on the XSS forum\r\nTranslated from Russian:\r\n(…) 7. Added stats for build, which can be viewed without authorization (for traffers). (…)\r\nAmong notable changes, the malware developer added an interesting feature to the administration panel of the\r\nBlueFox Stealer version 2.0.7 to allow traffers teams to operate the malware builds internally. Thus, traffers teams\r\ndistributing the BlueFox Stealer have statistics related to each traffer (also named worker) and can give it access –\r\nmaking the integration of the BlueFox Stealer easier into the traffers teams resources. In other words, each traffer\r\nof the team can monitor statistics related to the distribution of their build on a non-authenticated webpage, and\r\ntherefore have an assessment of the impact of their work.\r\nSekoia.io observed that efforts towards facilitating the integration of stealers in the traffers teams’ activities\r\nbecame common for infostealer developers. A second example is Lumma (aka LummaC) Stealer, another\r\nemerging malware advertised on Russian-speaking forums and sold as MaaS since August 2022. On 3 October\r\n2022, its author Shamel published an update intended for the traffers teams, integrating a similar feature to display\r\nstatistics by traffer.\r\nhttps://blog.sekoia.io/bluefox-information-stealer-traffer-maas/\r\nPage 2 of 8\n\nFigure 2. Changelog of the LummaC published on the XSS forum\r\nTranslated from Russian:\r\nUpdate 1. Added functionality for teams 2. Added one new widget in the panel – “statistics by\r\nWorkers”. (…)\r\nA look at distamx’s business\r\nThe business model adopted by distamx is a classic among MaaS operators. The BlueFox Stealer author sells its\r\nmalware and the related support services for $350 per month. Based on feedback and changelogs, distamx is very\r\nresponsive to bug fixes and feature requests.\r\nOn 7 October 2022, distamx closed the sales of BlueFox Stealer v2, as the threat actor gained enough clients for\r\nwork, according to its statement. We assess that the infostealer is under continuous development and the distamx’s\r\nworkload is sufficiently high with the malware development and the customer responsiveness. It is therefore\r\nplausible that this will result in an increase of BlueFox activities in the near term if MaaS customers distribute it at\r\nlarge scale.\r\nIt is worth mentioning that distamx also advertised the malware in a Telegram channel (t[.]me/distamx_sup)\r\nsimilarly to what other MaaS operators were observed doing. BlueFox’s presence on Telegram resulted in scams\r\nimpersonating distamx to lure potential customers. Sekoia.io already observed such scams, notably for Mars\r\nStealer, Aurora Botnet, and Raccoon. These scams are common in the Russian-speaking cybercrime ecosystem,\r\nand analysts monitoring malware-related activities should be aware of this so as not to follow false leads when\r\ninvestigating threat actors.\r\nTechnical overview of BlueFox Stealer\r\nOnce an emerging malware appears on cybercrime forums, Sekoia.io analysts implement search techniques to\r\nretrieve related samples or servers, to produce actionable intelligence to our customers.\r\nMalware sample association\r\nA few weeks after the launch of BlueFox Stealer v2, we retrieved BlueFox-related malware samples (SHA256 are\r\navailable in the IOCs section). Here are the main technical details allowing Sekoia.io to confirm association of\r\nthese sample to BlueFox stealer with high confidence:\r\nBlueFox Stealer v2 features, as\r\ndescribed in their publications\r\nSekoia.io’s commentary\r\nhttps://blog.sekoia.io/bluefox-information-stealer-traffer-maas/\r\nPage 3 of 8\n\nUpdate 2.04 to 2.0.7\r\nWe observed samples named BlueFox2.0.4,\r\nBlueFox2.0.5, BlueFox2.0.7 and BlueFox2.0.8.\r\n“Native x86 executable with no\r\nCRT, running .NET in memory”\r\nThe .NET sample has no dependencies.\r\n“The size is still about 165 kb.” The stand-alone malware is 162.5KB.\r\n“Native protocol on TCP/IP in\r\nencrypted form”\r\nThe malware communicates over TCP using a custom\r\nprotocol, and data is encrypted.\r\n“Collection … from Chromium,\r\nEdge and Firefox-based” \r\nThe malware access data from Google Chrome,\r\nFirefox and Microsoft Edge files.\r\n“Self-delete executable after sending\r\nlog file.”\r\nAnalysed sample deletes itself from the infected host\r\nusing the command “cmd.exe /C timeout 5 \u0026 del”\r\n“Collect PC data”\r\nThe sample reads several Windows Registry keys to\r\nfingerprint the infected host.\r\n“… grabber to search all drives and\r\nflash drives.”\r\nThe malware enumerates physical storage devices.\r\nTable 1. Comparative table of BlueFox’s features shared by distamx and the Sekoia.io’s analysis\r\nOf note, this is not an exhaustive list, rather a selection of the most characteristic technical artifacts deemed\r\nrelevant in our association process.\r\nBlueFox Stealer Malware capabilities\r\nThe BlueFox Stealer v2 capabilities advertised by distamx are those of a classic information stealer, with a\r\nfocus on cryptocurrency wallets, and file grabber and loader capabilities.\r\nHere is an overview of its capabilities:\r\nTargeting of popular browsers (Chromium and Firefox based browsers: Chrome, Edge, Opera, Mozilla,\r\netc.) to steal passwords, cookies and autocompletes;\r\nTargeting of almost all desktop cryptocurrency wallets and extension for cryptocurrency wallets\r\n(MetaMask, TronLink, BinanceChain, Yoroi, Coinbase, Jaxx, Ethereum, Electrum, Exodus,\r\netc.);\r\nTargeting password extensions (Bitwarden, 1Password);\r\nFile downloading and loading;\r\nFile grabbing in all disks;\r\nScreenshot capturing;\r\nSystem fingerprinting.\r\nBlueFox exfiltrates the collected data to its C2 server using socket communication via native protocol on TCP/IP\r\nin encrypted form. The malware removes itself from the infected host using the Windows command cmd.exe /C\r\nhttps://blog.sekoia.io/bluefox-information-stealer-traffer-maas/\r\nPage 4 of 8\n\ntimeout 5 \u0026 del \"$PATH “.\r\nA dynamic analysis from the Hatching Triage sandbox of a BlueFox Stealer v2 sample is available\r\nhere: https://tria.ge/221015-2ckbtagec3/behavioral2.\r\nConclusion\r\nSekoia.io assess that implementing features for monitoring traffers statistics when distributing information-stealing malware is likely to become a must-have to be a relevant player in the cybercrime ecosystem. Based\r\non our observations, such capabilities are already quite common for prevalent loaders used by Pay-Per-Install\r\nservices, such as SmokeLoader, PrivateLoader, and MixLoader.\r\nTo provide our customers with actionable intelligence, Sekoia.io analysts will continue to monitor BlueFox,\r\nemerging and prevalent infostealers; and keep an eye on the evolution of newcomers.\r\nTechnical Details \u0026 IoCs\r\nBlueFox IoCs\r\nBlueFox C2\r\nThe list of IoCs is available on Sekoia.io github repository.\r\nIOC Link\r\n31.41.244[.]152:47567 app.sekoia.io\r\n45.8.147[.]200:51425 app.sekoia.io\r\n46.148.114[.]177:38990 app.sekoia.io\r\n45.8.147[.]31:15100 app.sekoia.io\r\n193.106.191[.]130:17322 app.sekoia.io\r\n91.241.19[.]49:35767 app.sekoia.io\r\n79.137.198[.]63:42998 app.sekoia.io\r\n94.131.107[.]223:51176 app.sekoia.io\r\nBlueFox samples\r\nBlueFox2.0.8\r\n194ef023286a19eea2c084f0d469d3427b97445b0b8fc75888d02274bf01e748\r\n36190e8a9976de1036976ed44456ca833d7d2a7f23ed8acc707efe09fca7da9d\r\nca6d6555b349612637522e8506592ccaa5b0435f2a9af35aab77520cab495439\r\nhttps://blog.sekoia.io/bluefox-information-stealer-traffer-maas/\r\nPage 5 of 8\n\n9ed0f76449bbc6d5d6db12dfc527740c072436c4379248855729321032d91bb7\r\n82ce28407b4f0075d288470410df5af7c28e69ab44144bcf4610e6493e99e478\r\n80bc9d060c42ada4ad5029a196293280d64257db95f223964ce7881930fab0f6\r\n5e14e2582a02b6fe7cb28d6cad80bcddc51be2c01db097b0d292dfd575cb44a9\r\nBlueFox2.0.7\r\n7b7714d0bba4aa994d27130165a99d74cf627469f14ad7ba25c51ea0a1e16699\r\nd8ca57e29b21ef3218877f43f9566f2fdbb11552f901d03234e3e9145c862392\r\nBlueFox2.0.5\r\nc56a00b4b8ebc12b8798e6ec7ab8e2c9815716fa40bb92488cb3e5c8a227d455\r\nBlueFox2.0.4\r\n186f94743c27032ff7401153a52116b4bbbf87c958dd0e2da1c0c111671c0563\r\nBlueFox Stealer YARA rule\r\nrule infostealer_win_bluefox {\r\n meta:\r\n malware = \"BlueFox\"\r\n description = \"Find BlueFox Stealer v2 samples based on the specific strings embed in the executable fil\r\n source = \"SEKOIA.IO\"\r\n reference = \"https://blog.sekoia.io/bluefox-stealer-a-newcomer-designed-for-traffers-teams/\"\r\n classification = \"TLP:CLEAR\"\r\n strings:\r\n $str01 = \"DesktopScreenshotLength\" ascii\r\n $str02 = \"SoftwareSearchesCount\" ascii\r\n $str03 = \"AutoCompleteLength\" ascii\r\n $str04 = \"DesktopSizeLength\" ascii\r\n $str05 = \"CPULength\" ascii\r\n $str06 = \"GPUsLength\" ascii\r\n $str07 = \"FullNameLength\" ascii\r\n $str08 = \"Asn1NssLength\" ascii\r\n $str09 = \"LoginLength\" ascii\r\n $str10 = \"BrowserCount\" ascii\r\n condition:\r\n uint16(0)==0x5A4D and 9 of them\r\n}\r\nMITRE ATT\u0026CK TTPs for BlueFox Stealer\r\nTactic Technique\r\nhttps://blog.sekoia.io/bluefox-information-stealer-traffer-maas/\r\nPage 6 of 8\n\nExecution\r\nT1059.003 – Command and Scripting Interpreter: Windows Command\r\nShell\r\nDefense Evasion T1027 – Obfuscated Files or Information\r\nDefense Evasion T1036 – Masquerading\r\nDefense Evasion T1070.004 – Indicator Removal on Host: File Deletion\r\nDefense Evasion T1140 – Deobfuscate/Decode Files or Information\r\nCredential Access T1539 – Steal Web Session Cookie\r\nDiscovery T1012 – Query Registry\r\nDiscovery T1082 – System Information Discovery\r\nDiscovery T1083 – File and Directory Discovery\r\nDiscovery T1614 – System Location Discovery\r\nCollection T1005 – Data from Local System\r\nCollection T1113 – Screen Capture\r\nCollection T1119 – Automated Collection\r\nCommand and\r\nControl\r\nT1071.001 – Application Layer Protocol: Web Protocols\r\nCommand and\r\nControl\r\nT1105 – Ingress Tool Transfer\r\nCommand and\r\nControl\r\nT1571 – Non-Standard Port\r\nExfiltration T1041 – Exfiltration Over C2 Channel\r\nExternal References\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem/\r\nChat with our team!\r\nWould you like to know more about our solutions?\r\nDo you want to discover our XDR and CTI products?\r\nDo you have a cybersecurity project in your organization?\r\nMake an appointment and meet us!\r\nhttps://blog.sekoia.io/bluefox-information-stealer-traffer-maas/\r\nPage 7 of 8\n\nYou can also read other blog post :\r\nDiscover our:\r\nCTI platform\r\nXDR platform\r\nSOC platform\r\nTools for SOC analyst\r\nSIEM solution\r\nCTI Cybercrime Dark Web Stealer\r\nShare this post:\r\nSource: https://blog.sekoia.io/bluefox-information-stealer-traffer-maas/\r\nhttps://blog.sekoia.io/bluefox-information-stealer-traffer-maas/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.sekoia.io/bluefox-information-stealer-traffer-maas/" ], "report_names": [ "bluefox-information-stealer-traffer-maas" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434339, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3f97ebe30257d6de710b9bb00be20e0406ec6330.pdf", "text": "https://archive.orkl.eu/3f97ebe30257d6de710b9bb00be20e0406ec6330.txt", "img": "https://archive.orkl.eu/3f97ebe30257d6de710b9bb00be20e0406ec6330.jpg" } }