{ "id": "49caf845-7c0d-4e37-a446-c3d976ade581", "created_at": "2026-04-06T01:32:14.508632Z", "updated_at": "2026-04-10T13:12:06.691307Z", "deleted_at": null, "sha1_hash": "bb3f1b0f69efc9b24c69d1b314d18801f508900f", "title": "Cyble - Dissecting Blackguard Info Stealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2488255, "plain_text": "Cyble - Dissecting Blackguard Info Stealer\r\nBy cybleinc\r\nPublished: 2022-04-01 · Archived: 2026-04-06 01:00:51 UTC\r\nCyble Research Labs analyzes the Blackguard Info Stealer, which currently has an extremely sophisticated variant\r\nout in the wild.\r\nThere has been a marked increase in Threat Actors (TAs) using Info Stealers to carry out their attacks, and Cyble\r\nResearch Labs has actively been tracking such threats. Info Stealers are a serious security threat. The LAPSUS$\r\ndata extortion group, which was behind one of the most significant data breaches in recent history, is also suspected\r\nof using Info Stealers to gain initial access to the organization’s network.\r\nRecently Cyble Research Labs discovered a sample belonging to “Blackguard Stealer. “This stealer surfaced in the\r\ncybercrime forums in April 2021. We came across multiple variants for this stealer in the wild, which highlights\r\nthat it might be in use by a large number of TAs.\r\nFigure 1: Post on a cybercrime forum\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/\r\nPage 1 of 12\n\nThe stealer is written in C# and is obfuscated using Obfuscar tool which is an open-source .NET obfuscation tool.\r\nThe recent stealer sample has used the sleep() function multiple times to avoid sandbox detection. It uses anti-debugging techniques, which prevent anyone from debugging the sample. It also uses an anti-forensic time\r\nstomping technique that changes the actual file timestamp to avoid being identified during forensic activities.\r\nFigure 2: File details of a recent variant\r\nThis stealer operates on the Malware-as-a-Service (MaaS) model, in which TAs lease out their software to carry out\r\nmalicious activities. The Blackguard stealer is also available on a monthly and lifetime-based subscription model.\r\nThe TA has claimed on cybercrime forums that they can add clipper malware (A type of malware that modifies the\r\ncrypto addresses in the clipboard to the one specified by TA) functionality to the Blackguard stealer on demand.\r\nThis indicates that the stealer can be customized for financial theft.\r\nhttps://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/\r\nPage 2 of 12\n\nFigure 3: Blackguard Stealer web panel from Cyber-Crime Forum\r\nThe TA stated that the stealer has functionalities to exfiltrate the data shown in the figure below.\r\nFigure 4: Stealer functionalities\r\nTechnical Analysis\r\nThe sample (SHA 256: 67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71) upon\r\nexecution initially checks for the presence of a debugger and terminates its execution if a debugger is identified.\r\nThe figure below shows the anti-debug function in the malware.\r\nhttps://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/\r\nPage 3 of 12\n\nFigure 5: Anti-debug check\r\nThe malware uses the Sleep() function several times as an anti-sandbox technique during its execution.\r\nThread.Sleep() method causes the current thread to stop the execution for the specified time in milliseconds. The\r\nfigure below shows the Sleep() function used during the initial execution.\r\nFigure 6: Sleep() function\r\nAfter performing the Anti-debug checks, it calls the Start() method, which will call other methods, as seen in\r\nFigure 7. These methods will initiate the data stealing activity from the victim’s system. The malware creates a\r\ndirectory in “c:\\users\\[username]\\Documents” for storing the stolen data from the victim’s machines.\r\nThe directory name is generated using the format: Random String + Computer Name + . + Username\r\nhttps://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/\r\nPage 4 of 12\n\nFigure 7: Start Method\r\nThe TA has encoded a few strings using base64 and gzip compression, so every time, an encoded string is passed as\r\na parameter, the decrypt.Get() function is called to get the decoded strings. Figure 8 shows the Decrypt.get()\r\nfunction.\r\nFigure 8: Decrypt.Get() Function\r\nThis stealer primarily targets browsers such as Chrome, Edge, and Firefox. The malware reads the files key3.db,\r\nkey4.db, logins.json, and cert9.db to steal browser data such as passwords, credit cards, history, and auto-filled\r\ndata. The malware creates a folder named “Browsers,” where it will save the data in separate .txt files.\r\nhttps://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/\r\nPage 5 of 12\n\nFigure 9: Stealing browser data\r\nUsing the GetDomainDetect() method, the malware enumerates all the .txt files in the “Browser” folder created in\r\nthe previous step, reads them, and then checks if the following domains are present which include popular crypto\r\nexchanges and major bank websites. If the malware finds these targeted domains, it stores any credentials related to\r\nthem.\r\nFigure 10: Domain Detection\r\nThe malware copies the victim’s data from the USERPROFILE directory and saves it in a folder named “Files.”\r\nThe USERPROFILE directory contains data specific to multiple users in a system.\r\nhttps://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/\r\nPage 6 of 12\n\nFigure 11: Stealing files\r\nThis stealer has the capability to steal data from cold crypto wallets. A cold wallet stores the data offline and is thus\r\nmore secure. The wallets targeted by the stealer can be seen in Figure 12.\r\nFigure 12: Targeted cold crypto wallets\r\nAfter this, the malware identifies the user’s geolocation by sending a request to hxxps[:]//freegeoip[.]app/xml/. The\r\nmalware receives the response and then saves it to a file named “Information.txt.”\r\nAdditionally, it saves the system information, as shown in Figure 13.\r\nFigure 13: Information.txt\r\nhttps://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/\r\nPage 7 of 12\n\nIt then takes the screenshot of the victim’s system and saves it as “Screen.png” in the directory initially created by\r\nthe malware.\r\nFigure 14: Screenshot of the system\r\nThe malware steals credentials from VPNs such as ProtonVPN, OpenVPN, and NordVPN. The malware first\r\nchecks whether a VPN is installed or not by checking the directory “C:\\Users\\[username]\\AppData\\Local\\[VPN\r\nname]. “\r\nIf it finds a targeted VPN service, it steals the credentials from the configuration files, such as user.config, etc., and\r\ncopies the configuration file to the folder used for saving stolen data.\r\nFigure 15: Stealing VPNs credentials for Nord VPN\r\nThe malware steals data from Steam, a video game digital distribution service. The stealer identifies the Steam\r\ninstallation path by checking the registry key value at “HKEY_LOCAL_MACHINE\\Software\\Valve\\Steam.”\r\nIf Steam is installed on the machine, the malware steals Steam’s data from loginusers.vdf config file present in the\r\nvictim’s machine. The malware creates a folder named “Steam” and copies the .vdf file into it for its exfiltration\r\npurposes.\r\nhttps://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/\r\nPage 8 of 12\n\nFigure 16: Stealing Steam data from victim’s device\r\nAfter this, the malware checks for Discord tokens. It first searches for the following directories:\r\nDiscord\\\\Local Storage\\\\leveldb\r\ndiscordptb\\\\Local Storage\\\\leveldb\r\nDiscord Canary\\\\leveldb\r\nIf it can locate these directories, it checks for files ending with .ldb or .log and extracts Discord tokens from them\r\nusing regular expression. Then it creates a folder named “Discord” and will write the stolen tokens to “Tokens.txt.”\r\nFigure 17: Stealing Discord tokens\r\nBlackguard stealer can also steal data from FileZilla. It checks if FileZilla\\recentservers.xml file is present in the\r\nApplicationData folder and then extracts Host, Port, User, and Password from the “recentserver.xml.” This data is\r\nthen written to “FileZilla\\FileZilla.log“.\r\nFigure 18: Stealing FileZilla data\r\nAfter this, the malware checks for the “Telegram Desktop\\tdata” file in the ApplicationData folder. If this is present\r\non the victim’s system, it creates a folder named “Telegram” which will be used to save files stolen from the\r\n“Telegram Desktop\\tdata” location.\r\nhttps://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/\r\nPage 9 of 12\n\nFigure 19: Stealing Telegram session\r\nThe TA in this sample is using Telegram for exfiltrating the data. We found the following Telegram API used by the\r\nmalware during our analysis for exfiltrating data.\r\nURL: hxxps[:]//api.telegram.org/bot/sendDocument?chat_id=\r\nThe malware compresses the stolen data before exfiltration. Figure 20 shows the folders created by the malware.\r\nFigure 20: Directories Created\r\nConclusion\r\nWe have observed and analyzed multiple samples of this Info stealer in the wild. It appears that this particular TA is\r\ntrying to make the stealer even more evasive with every update, as the anti-analysis and obfuscation levels are quite\r\ndifferent between the oldest and most recent samples. Info Stealers are emerging as a major concern as they are\r\nassisting TAs to gain initial access to corporate networks. It is thus, increasingly necessary to follow basic cyber-hygiene and security practices as listed below.\r\nOur Recommendations: \r\nAvoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as\r\nYouTube, torrent sites, etc., mainly contains such malware. \r\nUse strong passwords and enforce multi-factor authentication wherever possible.  \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices. \r\nhttps://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/\r\nPage 10 of 12\n\nUse a reputed anti-virus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile. \r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.  \r\nEducate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. \r\nBlock URLs that could be used to spread the malware, e.g., Torrent/Warez. \r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs. \r\nEnable Data Loss Prevention (DLP) Solution on the employees’ systems. \r\nMITRE ATT\u0026CK® Techniques  \r\nTactic  Technique ID  Technique Name \r\nExecution   T1204  User Execution \r\nDefense Evasion \r\nT1497.001 \r\nT1027\r\nVirtualization/Sandbox Evasion: System Checks \r\nObfuscated Files or Information\r\nCredential Access \r\nT1555 \r\nT1539 \r\nT1552 \r\nT1528 \r\nCredentials from Password Stores \r\nSteal Web Session Cookie \r\nUnsecured Credentials \r\nSteal Application Access Token \r\nCollection  T1113  Screen Capture \r\nDiscovery \r\nT1087 \r\nT1518 \r\nT1057 \r\nT1124 \r\nT1007\r\nT1614 \r\nAccount Discovery \r\nSoftware Discovery\r\nProcess Discovery\r\nSystem Time Discovery\r\nSystem Service Discovery\r\nSystem Location Discovery   \r\nCommand and Control  T1095  Non-Application Layer Protocol \r\nExfiltration  T1041  Exfiltration Over C2 Channel  \r\nIndicators of Compromise (IoCs):   \r\nIndicators \r\nIndicator\r\ntype \r\nDescription \r\nef8385f6ccc6dc6aa6fa9833e13c1cf3\r\n2fe6c0b8cef78d409d29fbd0d1260f39874b068e\r\n5b8d0e358948f885ad1e6fa854f637c1e30036bc217f2c7f2579a8782d472cda\r\nMd5  \r\nSHA-1 \r\nSHA-256 \r\nStealer\r\nPayload \r\nhttps://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/\r\nPage 11 of 12\n\nd4e02002916f18576204a3f1722a958b\r\n33ec434ad2c31de93e758b9d53fcf211c5b13702\r\n9fff9895c476bee0cba9d3e209e841873f1756d18c40afa1b364bd2d8446997c\r\nMd5  \r\nSHA-1 \r\nSHA-256 \r\nStealer\r\nPayload \r\neb6c563af372d1af92ac2b60438d076d\r\n9895725811ae5fda88629781daaa439c95a4976e\r\n67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71\r\nMd5  \r\nSHA-1 \r\nSHA-256 \r\nStealer\r\nPayload \r\na6651dc499e0b9141a6fa0f411f885ea\r\na421e5753596d4c07ee8df06c2080c03507f7a37\r\n5ce632f1f10c96a7524bf384015c25681ef4771f09a6b86883a4da309d85452a\r\nMd5  \r\nSHA-1 \r\nSHA-256 \r\nStealer\r\nPayload \r\nSource: https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/\r\nhttps://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/" ], "report_names": [ "dissecting-blackguard-info-stealer" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439134, "ts_updated_at": 1775826726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bb3f1b0f69efc9b24c69d1b314d18801f508900f.pdf", "text": "https://archive.orkl.eu/bb3f1b0f69efc9b24c69d1b314d18801f508900f.txt", "img": "https://archive.orkl.eu/bb3f1b0f69efc9b24c69d1b314d18801f508900f.jpg" } }