{ "id": "c5408fb7-4f67-4838-83d3-dd454613ae44", "created_at": "2026-04-06T00:11:23.874218Z", "updated_at": "2026-04-10T03:37:09.430453Z", "deleted_at": null, "sha1_hash": "4d5ac39e46f902fce5d48e8dd39f9d986ebc82e3", "title": "Analysis of BlackGuard - Info Stealer Malware | Zscaler Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1950446, "plain_text": "Analysis of BlackGuard - Info Stealer Malware | Zscaler Blog\r\nBy Mitesh Wani, Kaivalya Khursale\r\nPublished: 2022-03-30 · Archived: 2026-04-05 15:16:24 UTC\r\nIntroduction:\r\nHacking forums often double up as underground marketplaces where cybercriminals buy, rent, and sell all kinds of\r\nmalicious illegal products, including software, trojans, stealers, exploits, and leaked credentials. Malware-as-a-service has contributed substantially to the growth of ransomware and phishing attacks (among other attack types)\r\nin the past year, as they lower the technical barrier to entry for criminals to carry out attacks.\r\nWhile recently perusing one of these hacking forums during regular research activities, the Zscaler ThreatLabz\r\nteam came across BlackGuard, a sophisticated stealer, advertised for sale. Blackguard is currently being sold as\r\nmalware-as-a-service with a lifetime price of $700 and a monthly price of $200.\r\nBlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP\r\ncredentials, saved browser credentials, and email clients.\r\nIn this blog, we share analysis and screenshots of the techniques this stealer uses to steal information and evade\r\ndetection using obfuscation, as well as techniques used for anti-debugging.\r\nFig 1. Forum thread promoting the BlackGuard stealer\r\nTechnical Analysis:\r\nBlackGuard is a .NET stealer packed with a crypto packer. Currently, it is in active development and has the\r\nfollowing capabilities:\r\nAnti-Detection:\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking\r\nPage 1 of 13\n\nOnce executed, it checks and kills the processes related to antivirus and sandbox as shown in the figure below.\r\nFig 2. BlackGuard detects antivirus processes\r\nString Obfuscation:\r\nThe stealer contains a hardcoded array of bytes which is decoded in runtime to ASCII strings followed by base64\r\ndecoding. This allows it to bypass antivirus and string-based detection.\r\nFig 3. String decryption technique\r\nAnti-CIS:\r\nBlackGuard checks for the infected device country by sending a request to “http://ipwhois.app/xml/” and exits\r\nitself if the device is located in the Commonwealth of Independent States (CIS).\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking\r\nPage 2 of 13\n\nFig 4. Whitelist CIS\r\nAnti-Debug:\r\nBlackGuard uses user32!BlockInput() which can block all mouse and keyboard events in order to disrupt attempts\r\nat debugging.\r\n \r\nFig 5. Anti-debugging technique\r\nStealing Function:\r\nAfter all the checks are completed, the stealer function gets called which collects information from various\r\nbrowsers, software, and hardcoded directories, as shown in the screenshot below.\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking\r\nPage 3 of 13\n\nFig 6. Stealer code\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking\r\nPage 4 of 13\n\nhttps://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking\r\nPage 5 of 13\n\nhttps://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking\r\nPage 6 of 13\n\nFig 7. Features Posted on forum\r\nBrowsers:\r\nBlackGuard steals credentials from Chrome- and Gecko-based browsers using the static path. It has the capability\r\nto steal history, passwords, autofill information, and downloads.\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking\r\nPage 7 of 13\n\nFig 8. Browser stealing function\r\nCryptocurrency Wallets:\r\nBlackGuard also supports the stealing of wallets and other sensitive files related to crypto wallet applications. It\r\ntargets sensitive data in files such as wallet.dat that contain the address, the private key to access this address, and\r\nother data. The stealer checks for the default wallet file location in AppData and copies it to the working folder.\r\nFig 9. Crypto wallet stealing function\r\nCrypto Extensions:\r\nThis stealer also targets crypto wallet extensions installed in Chrome and Edge with hardcoded extension IDs as\r\nshown in the figure below.\r\nFig 10. Crypto extensions stealing function\r\nC2 Exfiltration:\r\nAfter collecting the information, BlackGuard creates a .zip of all the files and sends it to the C2 server through a\r\nPOST request along with the system information like Hardware ID and country as shown in the figure below.\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking\r\nPage 8 of 13\n\nFig 11. C2 Exfiltration code snippet\r\nFig 12. Traffic capture of exfiltration\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking\r\nPage 9 of 13\n\nFig 13. Panel screenshot\r\nTargeted Applications:\r\nBrowsers:\r\nChrome, Opera, Firefox, MapleStudio, Iridium, 7Star, CentBrowser, Chedot, Vivaldi, Kometa, Elements Browser,\r\nEpic Privacy Browser, uCozMedia, Coowon, liebao, QIP Surf, Orbitum, Comodo, Amigo, Torch, Comodo,\r\n360Browser, Maxthon3, K-Melon, Sputnik, Nichrome, CocCoc, Uran, Chromodo, Edge, BraveSoftware.\r\nCrypto Wallets:\r\nAtomicWallet, BitcoinCore, DashCore, Electrum, Ethereum, Exodus, LitecoinCore, Monero, Jaxx, Zcash, Solar,\r\nZap, AtomicDEX, Binance, Frame, TokenPocket, Wassabi.\r\nCrypto Wallet Extensions:\r\nBinance, coin98, Phantom, Mobox, XinPay, Math10, Metamask, BitApp, Guildwallet, iconx, Sollet, Slope Wallet,\r\nStarcoin, Swash, Finnie, KEPLR, Crocobit, OXYGEN, Nifty, Liquality, Auvitas wallet, Math wallet, MTV wallet,\r\nRabet wallet, Ronin wallet, Yoroi wallet, ZilPay wallet, Exodus, Terra Station, Jaxx.\r\nEmail Clients:\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking\r\nPage 10 of 13\n\nOutlook\r\nOther Applications:\r\nNordVPN, OpenVPN, ProtonVpn, Totalcomander, Filezilla, WinSCP, Steam\r\nMessengers:\r\nTelegram, Signal, Tox, Element, Pidgin, Discord\r\nConclusion:\r\nWhile applications of BlackGuard are not as broad as other stealers, BlackGuard is a growing threat as it\r\ncontinues to be improved and is developing a strong reputation in the underground community.\r\nTo combat against BlackGuard and similar credential theft malware, we recommend that security teams inspect all\r\ntraffic and use malware prevention tools that include both antivirus (for known threats) and sandboxing\r\ncapabilities (for unknown threats). We also recommend training end users on the following:\r\n1. Don’t use the same passwords for all the services and replace them on a regular cadence.\r\n2. Use multi-factor authentication where applicable. \r\n3. Avoid visiting unknown sites.\r\n4. Avoid opening suspicious unknown files.\r\nIOCs:\r\nHashes:\r\n4d66b5a09f4e500e7df0794552829c925a5728ad0acd9e68ec020e138abe80ac\r\nc98e24c174130bba4836e08d24170866aa7128d62d3e2b25f3bc8562fdc74a66\r\n7f2542ed2768a8bd5f6054eaf3c5f75cb4f77c0c8e887e58b613cb43d9dd9c13\r\nf2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d\r\nbbc8ac47d3051fbab328d4a8a4c1c8819707ac045ab6ac94b1997dac59be2ece\r\nf47db48129530cf19f3c42f0c9f38ce1915f403469483661999dc2b19e12650b\r\nead17dee70549740a4e649a647516c140d303f507e0c42ac4b6856e6a4ff9e14\r\n1ee88a8f680ffd175943e465bf85e003e1ae7d90a0b677b785c7be8ded481392\r\n71edf6e4460d3eaf5f385610004cfd68d1a08b753d3991c6a64ca61beb4c673a\r\ne08d69b8256bcea27032d1faf574f47d5412b6da6565dbe52c968ccecea1cd5d\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking\r\nPage 11 of 13\n\nDomains: \r\nwin.mirtonewbacker.com\r\numpulumpu.ru\r\ngreenblguard.shop\r\nonetwostep.at\r\n \r\nZscaler coverage:\r\nWe have ensured coverage for the payloads seen in these attacks via advanced threat signatures as well as our\r\nadvanced cloud sandbox.\r\nAdvanced Threat Protection: \r\nWin32.PWS.Blackguard\r\nAdvanced Cloud Sandbox:\r\nFig 14. Zscaler sandbox detection\r\nAbout ThreatLabz\r\nThreatLabz is the security research arm of Zscaler. This world-class team is responsible for hunting new threats\r\nand ensuring that the thousands of organizations using the global Zscaler platform are always protected. In\r\naddition to malware research and behavioral analysis, team members are involved in the research and\r\ndevelopment of new prototype modules for advanced threat protection on the Zscaler platform, and regularly\r\nconduct internal security audits to ensure that Zscaler products and infrastructure meet security compliance\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking\r\nPage 12 of 13\n\nstandards. ThreatLabz regularly publishes in-depth analyses of new and emerging threats on its\r\nportal, research.zscaler.com.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking\r\nhttps://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking" ], "report_names": [ "analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434283, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4d5ac39e46f902fce5d48e8dd39f9d986ebc82e3.pdf", "text": "https://archive.orkl.eu/4d5ac39e46f902fce5d48e8dd39f9d986ebc82e3.txt", "img": "https://archive.orkl.eu/4d5ac39e46f902fce5d48e8dd39f9d986ebc82e3.jpg" } }