{
	"id": "0819f048-632f-4a0f-83f0-644f778efa69",
	"created_at": "2026-04-06T00:14:25.582909Z",
	"updated_at": "2026-04-10T03:37:08.762287Z",
	"deleted_at": null,
	"sha1_hash": "be65dbd825bd75b93de4703c2d99c23208923c5a",
	"title": "New BlackGuard password-stealing malware sold on hacker forums",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1521085,
	"plain_text": "New BlackGuard password-stealing malware sold on hacker forums\r\nBy Bill Toulas\r\nPublished: 2022-03-31 · Archived: 2026-04-02 11:21:36 UTC\r\nA new information-stealing malware named BlackGuard is winning the attention of the cybercrime community, now sold on\r\nnumerous darknet markets and forums for a lifetime price of $700 or a subscription of $200 per month.\r\nThe stealer can snatch sensitive information from a broad range of applications, pack everything in a ZIP archive and send it\r\nto the C2 of the malware-as-a-service (MaaS) operation.\r\nThreat actors who purchased the subscription can then access the BlackGuard web panel to retrieve the stolen data logs,\r\neither exploiting them themselves or selling them to others.\r\nhttps://www.bleepingcomputer.com/news/security/new-blackguard-password-stealing-malware-sold-on-hacker-forums/\r\nPage 1 of 7\n\nhttps://www.bleepingcomputer.com/news/security/new-blackguard-password-stealing-malware-sold-on-hacker-forums/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nBlackGuard's user panel (Zscaler)\r\nBlackGuard was spotted and analyzed by researchers at Zscaler, who have noticed a sudden spike in the popularity of the\r\nmalware, especially after the abrupt shutdown of Raccoon Stealer.\r\nBleeping Computer was able to find that BlackGuard first appeared on Russian-speaking forums in January 2022, circulated\r\nprivately for testing purposes.\r\nA February 2022 forum post showcasing BlackGuard's loot (KELA)\r\nExtensive stealing abilities\r\nAs with all modern information-stealers, there aren’t many apps storing or handling sensitive user data that are not in\r\nBlackGuard’s targeting scope, and the focus is heavy on cryptocurrency assets.\r\nhttps://www.bleepingcomputer.com/news/security/new-blackguard-password-stealing-malware-sold-on-hacker-forums/\r\nPage 3 of 7\n\nBlackGuard will seek the presence of the following software and attempt to steal user data from them:\r\nWeb browsers: Passwords, cookies, autofill, and history from Chrome, Opera, Firefox, MapleStudio, Iridium, 7Star,\r\nCentBrowser, Chedot, Vivaldi, Kometa, Elements Browser, Epic Privacy Browser, uCozMedia, Coowon, liebao, QIP\r\nSurf, Orbitum, Comodo, Amigo, Torch, Comodo, 360Browser, Maxthon3, K-Melon, Sputnik, Nichrome, CocCoc,\r\nUran, Chromodo, Edge, BraveSoftware\r\nWallet browser extensions: Binance, coin98, Phantom, Mobox, XinPay, Math10, Metamask, BitApp, Guildwallet,\r\niconx, Sollet, Slope Wallet, Starcoin, Swash, Finnie, KEPLR, Crocobit, OXYGEN, Nifty, Liquality, Auvitas wallet,\r\nMath wallet, MTV wallet, Rabet wallet, Ronin wallet, Yoroi wallet, ZilPay wallet, Exodus, Terra Station, Jaxx\r\nCryptocurrency wallets: AtomicWallet, BitcoinCore, DashCore, Electrum, Ethereum, Exodus, LitecoinCore,\r\nMonero, Jaxx, Zcash, Solar, Zap, AtomicDEX, Binance, Frame, TokenPocket, Wassabi\r\nEmail: Outlook\r\nMessengers: Telegram, Signal, Tox, Element, Pidgin, Discord\r\nOther: NordVPN, OpenVPN, ProtonVpn, Totalcommander, Filezilla, WinSCP, Steam\r\nThe collected information is bundled in a ZIP file, also known as logs, and sent to the C2 server via a POST request, along\r\nwith a system profiling report that sets a unique hardware ID for the victim and determines their location.\r\nStealing information from a range of web browsers (Zscaler)\r\nAnti-detection features\r\nBlackGuard’s evasion capabilities are still under heavy development, but some systems are already in place to help the\r\nmalware escape detection and analysis.\r\nFirst, it is packed with a crypter, and all its strings are base64 obfuscated, so many anti-virus tools relying on static detection\r\nwill miss it.\r\nAny AVs running on the system will be detected by the malware, which will then attempt to kill their processes and\r\nterminate their operation.\r\nThe malware also checks the victim's IP address, and if it’s running on a system in Russia or any other CIS country, it will\r\nstop and exit. This is yet another indication of the origin of the malware.\r\nhttps://www.bleepingcomputer.com/news/security/new-blackguard-password-stealing-malware-sold-on-hacker-forums/\r\nPage 4 of 7\n\nList of countries excluded from attacks (Zscaler)\r\nFinally, an anti-debug feature blocks the operation of the mouse and keyboard inputs, making it further difficult for\r\nresearchers to analyze the malware.\r\nOutlook\r\nInfo-stealers are on the rise, with Redline, MarsStealer, Vidar Stealer, and AZORult currently dominating the space. \r\nThe exit of Raccoon Stealer, which was  one of the biggest players, has left a gap in the cybercrime market, so other MaaS\r\noperators will try to take advantage of this development.\r\nDaria Romana Pop, a threat analyst at KELA, has shared the following insights with Bleeping Computer on the status of the\r\ninfo-stealers landscape:\r\n\"Given the increase in usage and exploitation of compromised accounts and data obtained by information stealers as a vector\r\nfor initial access to a target, KELA has recently observed new variants being advertised on cybercrime forums, as threat\r\nactors aim at improving the malware capabilities to better avoid detection and to advance the data collection and exfiltration\r\nprocesses.\"\r\n\"BlackGuard stealer launched in early 2021. As cybercriminals are constantly testing the capabilities of such malicious\r\ntools, they do not shy away from demanding more quality and improvements. KELA came across several recent discussions\r\nin which users were complaining about BlackGuard not being able to properly avoid detection. As in any business, the\r\noperators promised to provide an updated version in no time.\"\r\nAuthor of BlackGuard promising to improve anti-detection scheme (KELA)\r\n\"In a different scenario, KELA identified META - a new information stealer very similar in appearance to RedLine, whose\r\ncollected data is being sold on the TwoEasy botnet marketplace. The stealer was launched at the beginning of March, now\r\nsold for USD125 per month or USD1000 for unlimited use, and the operators claim that it is an improved version of\r\nRedLine.\"\r\nhttps://www.bleepingcomputer.com/news/security/new-blackguard-password-stealing-malware-sold-on-hacker-forums/\r\nPage 5 of 7\n\nMETA info-stealer promoted on hacking forums (KELA)\r\nTo protect yourself from all of the circulating info-stealing malware, avoid visiting shady websites and downloading files\r\nfrom untrustworthy or dubious sources.\r\nFinally, use two-factor authentication, keep your OS and applications up to date, and use strong and unique passwords for all\r\nyour online accounts.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/new-blackguard-password-stealing-malware-sold-on-hacker-forums/\r\nPage 6 of 7\n\nSource: https://www.bleepingcomputer.com/news/security/new-blackguard-password-stealing-malware-sold-on-hacker-forums/\r\nhttps://www.bleepingcomputer.com/news/security/new-blackguard-password-stealing-malware-sold-on-hacker-forums/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-blackguard-password-stealing-malware-sold-on-hacker-forums/"
	],
	"report_names": [
		"new-blackguard-password-stealing-malware-sold-on-hacker-forums"
	],
	"threat_actors": [
		{
			"id": "0661a292-80f3-420b-9951-a50e03c831c0",
			"created_at": "2023-01-06T13:46:38.928796Z",
			"updated_at": "2026-04-10T02:00:03.148052Z",
			"deleted_at": null,
			"main_name": "IRIDIUM",
			"aliases": [],
			"source_name": "MISPGALAXY:IRIDIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75455540-2f6e-467c-9225-8fe670e50c47",
			"created_at": "2022-10-25T16:07:23.740266Z",
			"updated_at": "2026-04-10T02:00:04.732992Z",
			"deleted_at": null,
			"main_name": "Iridium",
			"aliases": [],
			"source_name": "ETDA:Iridium",
			"tools": [
				"CHINACHOPPER",
				"China Chopper",
				"LazyCat",
				"Powerkatz",
				"SinoChopper",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad",
			"created_at": "2022-10-25T16:07:23.590051Z",
			"updated_at": "2026-04-10T02:00:04.679488Z",
			"deleted_at": null,
			"main_name": "Energetic Bear",
			"aliases": [
				"ATK 6",
				"Blue Kraken",
				"Crouching Yeti",
				"Dragonfly",
				"Electrum",
				"Energetic Bear",
				"G0035",
				"Ghost Blizzard",
				"Group 24",
				"ITG15",
				"Iron Liberty",
				"Koala Team",
				"TG-4192"
			],
			"source_name": "ETDA:Energetic Bear",
			"tools": [
				"Backdoor.Oldrea",
				"CRASHOVERRIDE",
				"Commix",
				"CrackMapExec",
				"CrashOverride",
				"Dirsearch",
				"Dorshel",
				"Fertger",
				"Fuerboos",
				"Goodor",
				"Havex",
				"Havex RAT",
				"Hello EK",
				"Heriplor",
				"Impacket",
				"Industroyer",
				"Karagany",
				"Karagny",
				"LightsOut 2.0",
				"LightsOut EK",
				"Listrix",
				"Oldrea",
				"PEACEPIPE",
				"PHPMailer",
				"PsExec",
				"SMBTrap",
				"Subbrute",
				"Sublist3r",
				"Sysmain",
				"Trojan.Karagany",
				"WSO",
				"Webshell by Orb",
				"Win32/Industroyer",
				"Wpscan",
				"nmap",
				"sqlmap",
				"xFrost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa",
			"created_at": "2022-10-25T16:47:55.919702Z",
			"updated_at": "2026-04-10T02:00:03.618194Z",
			"deleted_at": null,
			"main_name": "IRON VIKING",
			"aliases": [
				"APT44 ",
				"ATK14 ",
				"BlackEnergy Group",
				"Blue Echidna ",
				"CTG-7263 ",
				"ELECTRUM ",
				"FROZENBARENTS ",
				"Hades/OlympicDestroyer ",
				"IRIDIUM ",
				"Qudedagh ",
				"Sandworm Team ",
				"Seashell Blizzard ",
				"TEMP.Noble ",
				"Telebots ",
				"Voodoo Bear "
			],
			"source_name": "Secureworks:IRON VIKING",
			"tools": [
				"BadRabbit",
				"BlackEnergy",
				"GCat",
				"NotPetya",
				"PSCrypt",
				"TeleBot",
				"TeleDoor",
				"xData"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6",
			"created_at": "2022-10-25T15:50:23.339976Z",
			"updated_at": "2026-04-10T02:00:05.27483Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"Sandworm Team",
				"ELECTRUM",
				"Telebots",
				"IRON VIKING",
				"BlackEnergy (Group)",
				"Quedagh",
				"Voodoo Bear",
				"IRIDIUM",
				"Seashell Blizzard",
				"FROZENBARENTS",
				"APT44"
			],
			"source_name": "MITRE:Sandworm Team",
			"tools": [
				"Bad Rabbit",
				"Mimikatz",
				"Exaramel for Linux",
				"Exaramel for Windows",
				"GreyEnergy",
				"PsExec",
				"Prestige",
				"P.A.S. Webshell",
				"AcidPour",
				"VPNFilter",
				"Neo-reGeorg",
				"Cyclops Blink",
				"SDelete",
				"Kapeka",
				"AcidRain",
				"Industroyer",
				"Industroyer2",
				"BlackEnergy",
				"Cobalt Strike",
				"NotPetya",
				"KillDisk",
				"PoshC2",
				"Impacket",
				"Invoke-PSImage",
				"Olympic Destroyer"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434465,
	"ts_updated_at": 1775792228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/be65dbd825bd75b93de4703c2d99c23208923c5a.pdf",
		"text": "https://archive.orkl.eu/be65dbd825bd75b93de4703c2d99c23208923c5a.txt",
		"img": "https://archive.orkl.eu/be65dbd825bd75b93de4703c2d99c23208923c5a.jpg"
	}
}