{
	"id": "587a570e-ed20-437a-be4b-2c9ee6981a01",
	"created_at": "2026-04-06T00:18:54.342614Z",
	"updated_at": "2026-04-10T03:19:57.506062Z",
	"deleted_at": null,
	"sha1_hash": "a0d69f50eb2859f954863ebb9ce9cec86a5c8d46",
	"title": "BloodyStealer and gaming assets for sale",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2770989,
	"plain_text": "BloodyStealer and gaming assets for sale\r\nBy Leonid Bezvershenko\r\nPublished: 2021-09-27 · Archived: 2026-04-05 21:49:57 UTC\r\nEarlier this year, we covered the threats related to gaming, and looked at the changes from 2020 and the first half\r\nof 2021 in mobile and PC games as well as various phishing schemes that capitalize on video games. Many of the\r\nthreats faced by gamers are associated with loss of personal data, and particularly, accounts with various gaming\r\nservices.\r\nThis tendency is not unique to PC or mobile games or to the gaming industry as a whole. Nevertheless, as games\r\noffer users plenty of in-game goodies and even feature their own currencies, gaming accounts are of particular\r\ninterest to cybercriminals.\r\nIn this report, we take a closer look at threats linked to loss of accounts with popular video game digital\r\ndistribution services, such as Steam and Origin. We also explore the kind of game-related data that ends up on the\r\nblack market and the prices.\r\nBackground\r\nIn March 2021, we noticed an advertisement for malware named “BloodyStealer” on a Russian-speaking\r\nunderground forum. According to the ad, BloodyStealer was a malicious stealer capable of fetching session data\r\nand passwords, and cookie exfiltration, and protected against reverse engineering and malware analysis in general.\r\nA buyer can use Telegram channels as well as traditional web panels for communication with the C\u0026C. The\r\nauthor offered potential customers to get in touch via Telegram. The price of BloodyStealer is 700 RUB (less than\r\n$10) for one month or 3000 RUB (approx. $40) for lifetime.\r\nThe BloodyStealer ad (Source: https://twitter.com/3xp0rtblog)\r\nThe ad highlights the following features of BloodyStealer (translated from Russian as is):\r\nGrabber for cookies, passwords, forms, bank cards from browsers\r\nStealer for all information about the PC and screenshots\r\nSteals sessions from the following clients: Bethesda, Epic Games, GOG, Origin, Steam, Telegram,\r\nVimeWorld\r\nSteals files from the desktop (.txt) and the uTorrent client\r\nCollects logs from the memory\r\nDuplicate logging protection\r\nReverse engineering protection\r\nNot functional in the CIS\r\nWhat caught our attention is BloodyStealer’s capability to fetch information related to computer games installed\r\non an infected system. BloodyStealer targets major online gaming platforms, such as Steam, Epic Games Store,\r\nhttps://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/\r\nPage 1 of 9\n\nEA Origin, etc.\r\nAt the time of our investigation, the forum thread related to BloodyStealer was publicly unavailable, but the\r\nanalysis of visible information on the forum revealed that discussions relating to BloodyStealer still continued in\r\nprivate channels. This, along with the fact that visible stealer activity had been observed since its release,\r\nsuggested that the threat actor behind BloodyStealer had decided to offer its product only to VIP members of\r\nunderground forums.\r\nKaspersky products detect the threat as Trojan-Spy.MSIL.Stealer.gen. For additional technical information about\r\nBloodyStealer (malicious techniques, YARA rules, etc.), please contact financialintel@kaspersky.com.\r\nBloodyStealer technical details\r\nAnti-analysis\r\nDuring our research, we were able to identify several anti-analysis methods that were used to complicate reverse\r\nengineering and analysis of BloodyStealer, including the usage of packers and anti-debugging techniques. As the\r\nstealer is sold on the underground market, every customer can protect their sample with a packer of their choice or\r\ninclude it into a multistage infection chain. We had been monitoring BloodyStealer since its announcement, so we\r\nwere able to notice that the majority of the BloodyStealer samples were protected with a commercial solution\r\nnamed “AgileNet”.\r\nWhile analyzing samples discovered in the wild, we found that some of them were protected not only with\r\nAgileNet but also with other, very popular, protection tools for the .NET environment, such as Confuser.\r\nVictim identification, communication with the C\u0026C and data exfiltration\r\nBloodyStealer is capable of assigning a unique identifier to every infected victim. The identifier is created by\r\nextracting data, such as the GUID and serial number (SID) of the system. This information is extracted at runtime.\r\nBesides this identification, BloodyStealer extracts the public IP address of the C\u0026C by requesting the information\r\nfrom the domain whatleaks[.]com.\r\nThe request used to get the public IP\r\nAfter assigning a UID to the victim and getting the C\u0026C IP address, BloodyStealer extracts various data from the\r\ninfected machine, creates a POST request with information about the exfiltrated data, and sends it to the malicious\r\nhttps://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/\r\nPage 2 of 9\n\nC\u0026C. The data itself is sent to the configured C\u0026C server later as a non-protected ZIP archive and has the\r\nstructure shown below.\r\nThe IP address configured in the infected system is used as the name of the ZIP archive.\r\nBloodyStealer as part of a multistage infection chain\r\nIn our analysis of BloodyStealer samples, we found out how various threat actors who had acquired this product\r\ndecided to use the stealer as a part of other malware execution chains, for example, KeyBase or Agent Tesla. The\r\ncriminals who combined the stealer component with other malware families also protected BloodyStealer with\r\nother packers, such as Themida.\r\nBloodyStealer as used alongside other malware families or hacking tools\r\nBased on the price that BloodyStealer is fetching on the underground market, we can expect that it will be used in\r\ncombination with other popular malware families.\r\nhttps://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/\r\nPage 3 of 9\n\nCommand and Control\r\nAs mentioned above, BloodyStealer sends all exfiltrated data to a C\u0026C server. Cybercriminals can access the data\r\nby using Telegram or via a web panel. The collected data can then be sold to other cybercriminals, who in turn\r\nwill try to monetize it.\r\nBloodyStealer C\u0026C login page (Source: https://twitter.com/3xp0rtblog)\r\nWhen a criminal is logged in to the C\u0026C web panel, they will see a basic dashboard with victim-related statistics.\r\nhttps://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/\r\nPage 4 of 9\n\nBloodyStealer stats dashboard (Source: https://twitter.com/3xp0rtblog)\r\nWhile pivoting through the structure used for allocating the content panel, we were able to identify the second\r\nC\u0026C server located at\r\nhxxp://gwrg23445b235245ner.mcdir[.]me/4/654/login.php\r\nBoth C\u0026C servers are placed behind Cloudflare, which hides their original IPs and provides a layer of protection\r\nagainst DDoS and web attacks.\r\nVictimology\r\nBloodyStealer is still quite new on the market when compared to other existent malware tools; however, by\r\nanalyzing available telemetry data, we have found detections of BloodyStealer in Europe, Latin America and the\r\nAPAC region. At the time of the investigation, we observed that BloodyStealer mostly affected home users.\r\nNext links in the chain: darknet markets\r\nUnfortunately, BloodyStealer is just one example of stealers targeting gamers. With many more in use,\r\ncybercriminals gather a significant number of game-related logs, login credentials, and other data, spurring a well-developed supply and demand chain for stolen credentials on the dark web. In this section, we will dig deeper into\r\nthe dark gaming market and look at the types of game-related items available there.\r\nOur experts, who specialize in understanding what goes on on the dark web, conducted research on the current\r\nstate of user data as a commodity on these platforms to find out what kind of personal data is in demand, what it is\r\nused for, and how much it costs. For the purposes of this report, we analyzed active offers on twelve international\r\ndarknet forums and marketplaces that use English or Russian.\r\nWholesale deals\r\nhttps://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/\r\nPage 5 of 9\n\nDark web sellers provide a broad variety of goods, sold both wholesale and retail. Specifically, one of the most\r\npopular wholesale products is logs.\r\nIn these examples, cybercriminals offer logs: an archive containing more than 65,000 logs for 150$ and\r\npackages with 1,000 private logs for 300$\r\nLogs are credentials that are needed for accessing an account. These typically take the form of saved browser\r\ncookies, information about server logins, screenshots of the desktop, etc. They are the key for accessing victims’\r\naccounts. Logs might be outdated, contain only old game sessions or even have no account-related data. That is\r\nwhy they need to be checked before use. In the chain of log sales, there are several roles.\r\nFirstly, there are people who steal logs with the help of botnets or phishing schemes. These are the operators. The\r\noperators might have thousands of collected logs in their clouds, but this whole data stream needs to be validated.\r\nTo process the logs, the cybercriminal needs to check whether the login and password combination is still\r\nrelevant, how many days have passed since the last password or email change (that is, whether the victim has\r\nfound out that the account was stolen) and check the balance. The fraudsters might do it on their own, but this may\r\nprove quite time-consuming with thousands of logs to go through. For this, there are log checkers: cybercriminals\r\nwho own special tools for processing logs. The software collects statistics about processed logs, and the checker\r\ngets a share of the profits: typically, 40%.\r\nIt is possible to purchase logs per unit and process them manually or purchase in bulk and process with the help of\r\nspecialized services. The average price per log is 34¢; the price per 100 logs is $17.83.\r\nThis advertiser is offering a batch of logs for $25,000 to one person but makes no mention of the volume of\r\ndata\r\nThere are also fraudsters who have websites with a large coverage, offering to place links to malware as a way of\r\ndistribution. In their ads on the darknet, these fraudsters attach traffic and download statistics to attract more\r\ncustomers.\r\nRetail options\r\nIf the cybercriminal specializes in small sales (two to ten items), then the type of goods they offer on the darknet\r\nwill include certain games, in-game items, and accounts with popular gaming platforms. Importantly, these\r\nproducts are typically offered at just 60-70% of their original price, so customers get a good deal on darknet\r\nmarkets. Some criminals can possess thousands of accounts and offer access to these at an enormous discount, as\r\nmany of these accounts are useless: some cost nothing, and others have already been recovered by their original\r\nowners.\r\nhttps://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/\r\nPage 6 of 9\n\nA person is offering thousands of usernames and passwords for various game platforms for just $4000\r\nDark web sellers offer stolen accounts, the important selection criteria being the number of games available in the\r\naccount and how long ago the account was created. Games and add-ons are not cheap, and this is where\r\ncybercriminals enter the fray, offering the same popular games at significantly lower prices. In addition to Steam,\r\naccounts on gaming platforms, such as Origin, Ubisoft Store, GOG, Battle.net, also get stolen and resold.\r\n \r\nA seller is offering in-game items. The original price is $20.5, but customers can get these illegally for $16.45.\r\nIn addition to certain games and accounts, cybercriminals also sell rare equipment from a wide range of games\r\nwith a discount 30-40% off the original price. This is possible if the Steam account that owns the items has no\r\nrestrictions on sending gifts to other players, e.g., no email confirmation requirement.\r\nSome cybercriminals also sell so-called “Steam balance”. Depending on the origin, Steam balance can be “white”\r\nor “black”. White means sold from the seller’s own account. A player could get tired of the game and decide to\r\nsell their account, along with all associated in-game goodies, offering it on the black market, as Valve does not\r\napprove this kind of deals. Accounts like that can be used for illegal activity, such as fraud or money laundering as\r\nhttps://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/\r\nPage 7 of 9\n\nthey do not \r\n– yet – look suspicious to Steam. Black balance means that the Steam accounts were obtained\r\nillegally, e.g., through phishing, social engineering or other cybercriminal techniques. Cybercriminals do their best\r\nto withdraw money by buying Steam cards, in-game items, gifts, etc., before the original owners retake control of\r\ntheir property with the help of the support service.\r\nA person is outlining a scheme for stealing accounts with the help of PUBG phishing pages\r\nBesides buying goods, darknet forum visitors can also purchase access to phishing instruments, which is a less\r\npopular offer. As you can see in the screenshot, the cybercriminal is offering a tool named “Black Mafia”.\r\nPhishing tools can even be downloaded from GitHub, after accepting the condition that these will be used for\r\neducational purposes only.\r\nA criminal can use the tool for creating a phishing link and sending it to an unsuspecting victim. This generally\r\nfollows the tried and tested flow: the victim clicks the link and inputs their credentials, which then end up in the\r\nhands of the fraudsters.\r\nConclusion\r\nThis overview demonstrates the structure of the game log and login stealing business. With the gaming industry\r\ngrowing, we do not expect this cybercriminal activity to wane in the future – on the opposite, this is the area in\r\nwhich we are likely to see more attacks as tools for targeting gamers continue to develop. BloodyStealer is a prime\r\nexample of an advanced tool used by cybercriminals to penetrate the gaming market. With its efficient anti-detection techniques and attractive pricing, it is sure to be seen in combination with other malware families soon.\r\nFurthermore, with its interesting capabilities, such as extraction of browser passwords, cookies, and environment\r\ninformation as well as grabbing information related to online gaming platforms, BloodyStealer provides value in\r\nterms of data that can be stolen from gamers and later sold on the darknet. The overview of game-related goods\r\nsold on the darknet forums, too, confirms that this is a lucrative niche for cybercriminals. With online gaming\r\nplatform accounts holding valuable in-game goods and currency, these become a juicy target. Although purchasing\r\naccounts is a gamble, as these may or may not contain goods that can be sold, cybercriminals are willing to take a\r\nbet – and are certain to find customers that are looking to save on entertainment.\r\nTo minimize the risks of losing your gaming account, follow these simple tips:\r\nWherever possible, protect your accounts with two-factor authentication. For others, comb through account\r\nsettings.\r\nA strong, reliable security solution will be a great help to you, especially if it will not slow down your\r\ncomputer while you are playing. At the same time, it will protect you from all possible cyberthreats. We\r\nrecommend Kaspersky Total Security. It works smoothly with Steam and other gaming services.\r\nhttps://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/\r\nPage 8 of 9\n\nIt is safer to buy games on official sites only and wait for the sales – these take place fairly often and are\r\ntypically tied to big holidays such as Halloween, Christmas, Saint Valentine’s Day, so you will not be\r\nsitting on your hands for long.\r\nTry to avoid buying the first thing that pops up. Even during Steam’s summer sale, before forking out the\r\ndough for a little-known title, at least read some reviews of it. If something is fishy, people will probably\r\nhave figured it out.\r\nBeware of phishing campaigns and unfamiliar gamers contacting you. It is a good idea to double-check\r\nbefore clicking website links you receive via email and the extensions of files you are about to open.\r\nTry not to click on any links to external sites from the game chat, and carefully check the address of any\r\nresource that requests you to enter your username and password: the page may be fake.\r\nSource: https://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/\r\nhttps://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/"
	],
	"report_names": [
		"104319"
	],
	"threat_actors": [],
	"ts_created_at": 1775434734,
	"ts_updated_at": 1775791197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a0d69f50eb2859f954863ebb9ce9cec86a5c8d46.pdf",
		"text": "https://archive.orkl.eu/a0d69f50eb2859f954863ebb9ce9cec86a5c8d46.txt",
		"img": "https://archive.orkl.eu/a0d69f50eb2859f954863ebb9ce9cec86a5c8d46.jpg"
	}
}