{
	"id": "996693c5-a098-4aa0-aea9-922c7bb8e27d",
	"created_at": "2026-04-06T00:18:46.839823Z",
	"updated_at": "2026-04-10T03:22:06.172584Z",
	"deleted_at": null,
	"sha1_hash": "87a9bf5aedeeb38ca539c6183848917c6eb05bb5",
	"title": "BlackGuard Stealer Targets the Gaming Community",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53856,
	"plain_text": "BlackGuard Stealer Targets the Gaming Community\r\nBy Shmuel Gihon\r\nPublished: 2022-06-19 · Archived: 2026-04-05 18:48:43 UTC\r\nTable of contents\r\nExecutive Summary\r\nPurchasing BlackGuard\r\nDelivery\r\nTechnical Analysis\r\nIOC\r\nThe author\r\nuser_image\r\nShmuel Gihon\r\nResearch Team Leader at Cyberint\r\nRelated Articles\r\nExecutive Summary\r\nBlackGuard is a fairly new info stealer from the end of January 2022 with a business model of Malware-as-a-Service (MaaS). The malware is sold in underground forums and a dedicated Telegram channel of the operators’\r\nnamed blackteam007 .\r\nThe malware will look to obtain the assets info stealers often look for such as machine’s information, cookies, and\r\nbrowsing sessions, Various email and VPN clients’ credentials along with instant messaging applications’\r\ncredentials such as Telegram and Discord. Furthermore, the stealer supports the functionality to obtain browser-based cryptocurrency wallets such as Metamask.\r\nThe Cyberint Research Team recently discovered campaigns abusing gaming forums and Discord channels to\r\ndistribute BlackGuard, along with a new data exfiltration technique using Telegram.\r\nPurchasing BlackGuard\r\nAs mentioned, BlackGuard’s team advertises their product in underground forums and Telegram channel (Figures\r\n1,2).\r\nBlackGuard’s Telegram channel ad\r\nFigure 1: BlackGuard’s Telegram channel ad\r\nhttps://cyberint.com/blog/research/blackguard-stealer/\r\nPage 1 of 3\n\nBlackGuard’s advertisement on underground forum\r\nFigure 2: BlackGuard’s advertisement on underground forum\r\nThe purchasing is done via the Telegram channel created by the group. The price varies between 200 and 700USD\r\ndepending on the subscription period, paid with cryptocurrency of course.\r\nBlackGuard’s developers were advertising the malware since January 2021 on underground forums for a very\r\nshort period of time, although for unknown reason they went silent only to come back on last January.\r\nDelivery\r\nBlackGuard Team does not provide any delivery methods when purchasing the stealer. Therefore, the threat actor\r\nthat is looking to purchase the stealer will need to apply its own delivery method.\r\nIt is very common within this type of threat to use malspam campaigns containing malicious documents that will\r\ndownload or load the BlackGuard stealer sample.\r\nIn this report, we have encountered a social engineering technique when a threat actor published a patch for the\r\npopular game CountnerStrike, presumably on gaming community forums or Discord channels.\r\nThe initial phase begins with a victim being lured to download and run the “patch”.\r\nTechnical Analysis\r\nInitial Infection\r\nAs the victim downloads and executes the malicious patch, the executable creates a new directory in the\r\n%APPDATA% directory named \"NTDYxmw5zzLIBxcMt\" , a hard-coded name.\r\nOnce the directory is created, the loader will create two new executables (Figure 3) within this directory:\r\nAnimeSoftware.exe – a somewhat legitimate file that is the real patch for the CounterStrike game.\r\nNatasha.exe – The BlackGuard sample.\r\nThe malicious patch creating the AnimeSoftware.exe and Natasha.exe files\r\nFigure 3: The malicious patch creating the AnimeSoftware.exe and Natasha.exe files\r\nOnce both files are created, the loader executes both files (Figure 4). The first one, AnimeSoftware.exe's\r\npurpose is to make the process look “as intended” while the second, Natasha.exe , initiates the information-stealing phase.\r\nThe malicious patch executes both loaded files\r\nFigure 4: The malicious patch executes both loaded files\r\nPost Infection\r\nhttps://cyberint.com/blog/research/blackguard-stealer/\r\nPage 2 of 3\n\nBlackGuard is focusing on valuable information such as cryptocurrency wallets, and browsers information\r\nincluding cookies, sessions, and history. It supports browsers such as Chrome, Edge, Firefox, Opera, Brave and\r\nmore.\r\nFurthermore, the notorious stealer looks for credentials in applications such as Telegram, Discord, FileZilla, Email\r\nand VPN clients. Among the VPN clients, it seems that BlackGuard targets ProtonVPN, OpenVPN and NordVPN.\r\nWorking Directory\r\nBlackGuard’s working directory is also located within the %APPDATA% directory as it creates and names it with\r\na combination of random 14 characters, the victim’s machine name, and the username of the machine (Figure 5).\r\nThe information is zipped into a .rar file that will be sent later to the C2.\r\nBlackGuard’s working directory\r\nFigure 5: BlackGuard’s working directory\r\nCalling Home\r\nLike other malware that looks to use an anonymous and evasive C2 infrastructure, BlackGuard turned to Telegram\r\nas the ultimate solution.\r\nRecent campaigns suggest that the info stealer has evolved in the past months and now exports the stolen data to a\r\nTelegram channel, presumably given by the operators of the MaaS.\r\nBlackGuard uses the Telegram’s API service to create simple calls for the C2 channel as it sends metadata first\r\nusing the sendDocument functionality (Figure 6), followed by a compressed file containing the relevant data.\r\nBlackGuard’s HTTP request contains metadata to the C2 Telegram channel\r\nFigure 6: BlackGuard’s HTTP request contains metadata to the C2 Telegram channel\r\nIOC\r\nSHA256\r\nMalicious CounterStrike Patch:\r\nb16bb8ce89c42e0f48deb5ba2a8b5c7495c8702c7c2c5c0af7d38739f6281ebb\r\nBlackGuard Samples:\r\na0cc5f36b04eae3db5582ec2563ed77e83783765addd3460313377c6fcd1b96d\r\n5293c26f29b4af6bc2f3f74ae1ed93537e6c311a695cc0a6920a635c57383617\r\n352c936eaf45ffd2f99ba2a9e726eaa39af29d4c37a6ad5106849f07aa35896c\r\nSource: https://cyberint.com/blog/research/blackguard-stealer/\r\nhttps://cyberint.com/blog/research/blackguard-stealer/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cyberint.com/blog/research/blackguard-stealer/"
	],
	"report_names": [
		"blackguard-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434726,
	"ts_updated_at": 1775791326,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/87a9bf5aedeeb38ca539c6183848917c6eb05bb5.pdf",
		"text": "https://archive.orkl.eu/87a9bf5aedeeb38ca539c6183848917c6eb05bb5.txt",
		"img": "https://archive.orkl.eu/87a9bf5aedeeb38ca539c6183848917c6eb05bb5.jpg"
	}
}