{ "id": "98cf77c4-37ff-491d-bb3e-cfa61d2f1f6f", "created_at": "2026-04-06T00:19:55.888671Z", "updated_at": "2026-04-10T03:37:08.894554Z", "deleted_at": null, "sha1_hash": "745dfd903e36d6c8db56079523e5a459e69c0bdf", "title": "New BHUNT malware targets your crypto wallets and passwords", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3241094, "plain_text": "New BHUNT malware targets your crypto wallets and passwords\r\nBy Bill Toulas\r\nPublished: 2022-01-19 · Archived: 2026-04-05 17:05:37 UTC\r\nA novel modular crypto-wallet stealing malware dubbed 'BHUNT' has been spotted targeting cryptocurrency wallet\r\ncontents, passwords, and security phrases.\r\nThis is yet another crypto-stealer added to a large pile of malware that targets digital currency, but it is worth special\r\nattention due to its stealthiness.\r\nInfection vector\r\nThe discovery and analysis of the new BHUNT malware come from Bitdefender, who shared their findings with Bleeping\r\nComputer before publishing.\r\nhttps://www.bleepingcomputer.com/news/security/new-bhunt-malware-targets-your-crypto-wallets-and-passwords/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-bhunt-malware-targets-your-crypto-wallets-and-passwords/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nTo evade detection and triggering security warnings, BHUNT is packed and heavily encrypted using Themida and\r\nVMProtect, two virtual machine packers that hinder reverse-engineering and analysis by researchers.\r\nThe threat actors signed the malware executable with a digital signature stolen from Piriform, the makers of CCleaner.\r\nHowever, as the malware developers copied it from an unrelated executable, it's marked as invalid due to a binary mismatch.\r\nInvalid signature on the main executable\r\nSource: Bitdefender\r\nBitdefender discovered that BHUNT is injected into explorer.exe and is likely delivered to the compromised system via\r\nKMSpico downloads, a popular utility for illegally activating Microsoft products.\r\nKMS (Key Management Services) is a Microsoft license activation system that software pirates frequently abuse to activate\r\nWindows and Office products.\r\nBleepingComputer recently reported a similar case of malicious KMSPico activators dropping cryptocurrency-wallet\r\nstealers to pirates' systems.\r\nThis malware has been detected worldwide, with its greatest concentration of infected users in India, shown in the heat map\r\nbelow.\r\nhttps://www.bleepingcomputer.com/news/security/new-bhunt-malware-targets-your-crypto-wallets-and-passwords/\r\nPage 3 of 6\n\nBHUNT victim heatmap\r\nSource: Bitdefender\r\nBHUNT modules\r\nThe main component of BHUNT is 'mscrlib.exe,' which extracts further modules that are launched on an infected system to\r\nperform different malicious behavior.\r\nBHUNT's execution flow\r\nSource: Bitdefender\r\nEach module is designed for a specific purpose ranging from stealing cryptocurrency wallets to stealing passwords. Using a\r\nmodular approach, the threat actors can customize BHUNT for different campaigns or easily add new features.\r\nThe current modules included in the BHUNT 'mscrlib.exe' executable are described below:\r\nblackjack – steals wallet file contents, encodes it with base 64, and uploads it to the C2 server\r\nchaos_crew – downloads payloads\r\ngolden7 – steals passwords from the clipboard and uploads the files to the C2 server\r\nSweet_Bonanza – steals information from browsers (Chrome, IE, Firefox, Opera, Safari)\r\nmrpropper – cleans up traces (argument files)\r\nThe targeted wallets are Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, and Litecoin.\r\nAs you can see in the code snippet below, the blackjack module is used to search for and steal cryptocurrency wallets on a\r\nuser's device and send them to a remote server under the attacker's control.\r\nhttps://www.bleepingcomputer.com/news/security/new-bhunt-malware-targets-your-crypto-wallets-and-passwords/\r\nPage 4 of 6\n\nBlackjack's stealing function\r\nSource: Bitdefender\r\nOnce the threat actor gains access to the wallet's seed or configuration file, they can use it to import the wallet on their own\r\ndevices and steal the contained cryptocurrency.\r\nAlthough BHUNT's focus is clearly financial, its information-stealing capabilities could enable its operators to gather much\r\nmore than just crypto-wallet data.\r\n\"While the malware primarily focuses on stealing information related to cryptocurrency wallets, it can also harvest\r\npasswords and cookies stored in browser caches,\" - explains Bitdefender's report.\r\n\"This might include account passwords for social media, banking, etc. that might even result in an online identity takeover.\"\r\nTo avoid being infected by BHUNT, you should simply avoid downloading pirated software, cracks, and illegitimate product\r\nactivators.\r\nAs it's been proven repeatedly, the projected financial savings from using pirated software are insignificant compared to the\r\ndamage they can cause to infected systems.\r\nhttps://www.bleepingcomputer.com/news/security/new-bhunt-malware-targets-your-crypto-wallets-and-passwords/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-bhunt-malware-targets-your-crypto-wallets-and-passwords/\r\nhttps://www.bleepingcomputer.com/news/security/new-bhunt-malware-targets-your-crypto-wallets-and-passwords/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/new-bhunt-malware-targets-your-crypto-wallets-and-passwords/" ], "report_names": [ "new-bhunt-malware-targets-your-crypto-wallets-and-passwords" ], "threat_actors": [ { "id": "1a9c4f3f-2178-4c83-a9b5-d2135d90520a", "created_at": "2024-04-19T02:00:03.623733Z", "updated_at": "2026-04-10T02:00:03.615238Z", "deleted_at": null, "main_name": "BlackJack", "aliases": [], "source_name": "MISPGALAXY:BlackJack", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434795, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/745dfd903e36d6c8db56079523e5a459e69c0bdf.pdf", "text": "https://archive.orkl.eu/745dfd903e36d6c8db56079523e5a459e69c0bdf.txt", "img": "https://archive.orkl.eu/745dfd903e36d6c8db56079523e5a459e69c0bdf.jpg" } }