{
	"id": "d63bc197-974b-44cb-ac3e-087b67c3406d",
	"created_at": "2026-04-06T00:06:10.781181Z",
	"updated_at": "2026-04-10T03:21:09.970368Z",
	"deleted_at": null,
	"sha1_hash": "c8bee927197086fd30efc6d2acdc025bdf6ea37c",
	"title": "Say hello to Baldr, a new stealer on the market | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2591550,
	"plain_text": "Say hello to Baldr, a new stealer on the market | Malwarebytes\r\nLabs\r\nBy Malwarebytes Labs\r\nPublished: 2019-04-08 · Archived: 2026-04-05 17:04:59 UTC\r\nBy William Tsing, Vasilios Hioureas, and Jérôme Segura\r\nOver the past few months, we have noticed increased activity and development of new stealers. Unlike many\r\nbanking Trojans that wait for the victim to log into their bank’s website, stealers typically operate in grab-and-go\r\nmode. This means that upon infection, the malware will collect all the data it needs and exfiltrate it right away.\r\nBecause such stealers are often non-resident (meaning they have no persistence mechanism) unless they are\r\ndetected at the time of the attack, victims will be none-the-wiser that they have been compromised.\r\nThis type of malware is popular among criminals and covers a greater surface than more specialized bankers. On\r\ntop of capturing browser history, stored passwords, and cookies, stealers will also look for files that may contain\r\nvaluable data.\r\nIn this blog post, we will review the Baldr stealer which first appeared in underground forums in January 2019,\r\nand was later seen in the wild by Microsoft in February.\r\nBaldr on the market\r\nBaldr is likely the work of three threat actors: Agressor for distribution, Overdot for sales and promotion, and\r\nLordOdin for development. Appearing first in January, Baldr quickly generated many positive reviews on most of\r\nthe popular clearnet Russian hacking forums.\r\nPreviously associated with the Arkei stealer (seen below), Overdot posts a majority of advertisements across\r\nmultiple message boards, provides customer service via Jabber, and addresses buyer complaints in the reputational\r\nsystem used by several boards.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/\r\nPage 1 of 14\n\nOf interest is a forums post referencing Overdot’s previous work with Arkei, where he claims that the developers\r\nof both Baldr and Arkei are in contact and collaborate on occasion.\r\nUnlike most products posted on clearnet boards, Baldr has a reputation for reliability, and it also offers relatively\r\ngood communication with the team behind it.\r\nLordOdin, also known as BaldrOdin, has a significantly lower profile in conjunction with Baldr, but will monitor\r\nand like posts surrounding it.\r\nHe primarily posts to differentiate Baldr from competitor products like Azorult, and vouches that Baldr is not\r\nsimply a reskin of Arkei:\r\nAgressor/Agri_MAN is the final player appearing in Baldr’s distribution:\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/\r\nPage 2 of 14\n\nAgri_MAN has a history of selling traffic on Russian hacking forums dating back roughly to 2011. In contrast to\r\nLordOdin and Overdot, he has a more checkered reputation, showing up on a blacklist for chargebacks, as well as\r\ngetting called out for using sock puppet accounts to generate good reviews.\r\nUsing the alternate account Agressor, he currently maintains an automated shop to generate Baldr builds\r\nat service-shop[.]ml. Interestingly, Overdot makes reference to an automated installation bot that is not connected\r\nto them, and is generating complaints from customers:\r\nThis may indicate Agressor is an affiliate and not directly associated with Baldr development. At presstime,\r\nOverdot and LordOdin appear to be the primary threat actors managing Baldr.\r\nDistribution\r\nIn our analysis of Baldr, we collected a few different versions, indicating that the malware has short development\r\ncycles. The latest version analyzed for this post is version 2.2, announced March 20:\r\nWe captured Baldr via different distribution chains. One of the primary vectors is the use of Trojanized\r\napplications disguised as cracks or hack tools. For example, we saw a video posted to YouTube offering a program\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/\r\nPage 3 of 14\n\nto generate free Bitcoins, but it was in fact the Baldr stealer in disguise.\r\nWe also caught Baldr via a drive-by campaign involving the Fallout exploit kit:\r\nTechnical analysis (Baldr 2.2)\r\nBaldr’s high level functionality is relatively straight forward, providing a small set of malicious abilities in the\r\nversion of this analysis. There is nothing ground breaking as far as what it’s trying to do on the user’s computer,\r\nhowever, where this threat differentiates itself is in its extremely complicated implementation of that logic.\r\nTypically, it is quite apparent when a malware is thrown together for a quick buck vs. when it is skillfully crafted\r\nfor a long-running campaign. Baldr sits firmly in the latter category—it is not the work of a script kiddie. Whether\r\nwe are talking about its packer usage, payload code structure, or even its backend C2 and distribution, it’s clear\r\nBaldr’s authors spent a lot of time developing this particular threat.\r\nFunctionality overview\r\nBaldr’s main functionality can be broken down into five steps, which are completed in chronological order.\r\nStep 1: User profiling\r\nBaldr starts off by gathering a list of user profiling data. Everything from the user account name to disk space and\r\nOS type is enumerated for exfiltration.\r\nStep 2: Sensitive data exfiltration\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/\r\nPage 4 of 14\n\nNext, Baldr begins cycling through all files and folders within key locations of the victim computer. Specifically,\r\nit looks in the user AppData and temp folders for information related to sensitive data. Below is a list of key\r\nlocations and application data it searches:\r\nAppDataLocalGoogleChromeUser DataDefault AppDataLocalGoogleChromeUser DataDefaultLogin Data AppDataLo\r\nMany of these data files range from simple sqlite databases to other types of custom formats. The authors have a\r\ndetailed knowledge of these target formats, as only the key data from these files is extracted and loaded into a\r\nseries of arrays. After all the targeted data has been parsed and prepared, the malware continues onto its next\r\nfunctionality set.\r\nStep 3: ShotGun file grabbing\r\nDOC, DOCX, LOG, and TXT files are the targets in this stage. Baldr begins in the Documents and Desktop\r\ndirectories and recursively iterates all subdirectories. When it comes across a file with any of the above\r\nextensions, it simply grabs the entire file’s contents.\r\nStep 4: ScreenCap\r\nIn this last data-gathering step, Baldr gives the controller the option of grabbing a screenshot of the user’s\r\ncomputer.\r\nStep 5: Network exfiltration\r\nAfter all of this data has been loaded into organized and categorized arrays/lists, Baldr flattens the arrays and\r\nprepares them for sending through the network.\r\nOne interesting note is that there is no attempt to make the data transfer more inconspicuous. In our analysis\r\nmachine, we purposely provided an extreme number of files for Baldr to grab, wondering if the malware would\r\nslowly exfiltrate this large amount of data, or if it would just blast it back to the C2.\r\nThe result was one large and obvious network transfer. The malware does not have built-in functionality to remain\r\nresident on the victim’s machine. It has already harvested the data it desires and does not care to re-infect the same\r\nmachine. In addition, there is no spreading mechanism in the code, so in a corporate environment, each employee\r\nwould need to be manually targeted with a unique attempt.\r\nPacker code level analysis\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/\r\nPage 5 of 14\n\nWe will begin with the payload obfuscation and packer usage. This version of Baldr starts off as an AutoIt script\r\nbuilt into an exe. Using a freely available AIT decompiler, we got to the first stage of the packer below.\r\nAs you can see, this code is heavily obfuscated. The first two functions are the main workhorse of that\r\nobfuscation. What is going on here is simply reordering of the provided string, according to the indexes passed in\r\nas the second parameter. This, however, does not pose much of a problem as we can easily extract the strings\r\ngenerated by simply modifying this script to ConsoleWrite out the deobfuscated strings before returning:\r\nThe resulting strings extracted are below:\r\nExecute BinaryToString @TempDir @SystemDir @SW_HIDE @StartupDir @ScriptDir @OSVersion @HomeDrive @CR\r\nIn addition to these obvious function calls, we also have a number of binary blobs which get deobfuscated. We\r\nhave included only a limited set of these strings as to not overload this analysis with long sets of data.\r\nWe can see that it is pulling and decrypting a resource DLL from within the main executable, which will be loaded\r\ninto memory. This makes sense after analyzing a previous version of Baldr that did not use AIT as its first stage.\r\nThe prior versions of Baldr required a secondary file named Dulciana. So, instead of using AIT, the previous\r\nversions used this file containing the encrypted bytes of the same DLL we see here:\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/\r\nPage 6 of 14\n\nMoving forward to stage two, all things essentially remain equal throughout all versions of the Baldr packer. We\r\nhave the DLL loaded into memory, which creates a child process of the main Baldr executable in a suspended\r\nstate and proceeds to hollow this process, eventually replacing it with the main .NET payload. This makes\r\nmanually unpacking with ollyDbg nice because after we break on child Baldr.exe load, we can step through the\r\nremaining code of the parent, which writes to process memory and eventually calls ResumeThread().\r\nAs you can see, once the child process is loaded, the functions that it has set up to call contain VirtualAlloc,\r\nWriteProcessMemory, and ResumeThread, which gives us an idea what to look out for. If we dump this written\r\nmemory right before resume thread is called, we can then easily extract the main payload.\r\nOur colleague @hasherezade has made this step-by-step video of unpacking Baldr:\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/\r\nPage 7 of 14\n\nPayload code analysis\r\nNow that we have unpacked the payload, we can see the actual malicious functionality. However, this is where our\r\ntroubles began. For the most part, malware written in any interpreted language is a relief for a reverse engineer as\r\nfar as ease of analysis goes. Baldr, on the other hand, managed to make the debugging and analysis of its source\r\ncode a difficult task, despite being written in C#.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/\r\nPage 8 of 14\n\nThe code base of this malware is not straight forward. All functionality is heavily abstracted, encapsulated in\r\nwrapper functions, and utilizes a ton of utility classes. Going through this code base of around 80 separate classes\r\nand modules, it is not easy to see where the key functionality lies. Multiple static passes over the code base are\r\nnecessary to begin making sense of it all. Add in the fact that the function names have been mangled and junk\r\ninstructions are inserted throughout the code, and the next step would be to start debugging the exe with DnSpy.\r\nNow we get to our next problem: threads. Every minute action that this malware performs is executed through a\r\nseparate thread. This was obviously done to complicate the life of the analyst. It would be accurate to say that\r\nthere are over 100 unique functions being called inside of threads throughout the code base. This does not include\r\nthe threads being called recursively, which could become thousands.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/\r\nPage 9 of 14\n\nLuckily, we can view local data as it is being written, and eventually we are able to locate the key sections of\r\ncode:\r\n“\u003e\r\nThe function pictured above gathers the user’s profile, as mentioned previously. This includes the CPU type,\r\ncomputer name, user accounts, and OS.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/\r\nPage 10 of 14\n\nAfter the entire process is complete, it flattens the arrays storing this data, resulting in a string like this:\r\nThe next section of code shows one of the many enumerator classes used to cycle directories, looking for\r\napplication data, such as stored user accounts, which we purposely saved for testing.\r\n“\u003e\r\nThe data retrieved was saved into lists in the format below:\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/\r\nPage 11 of 14\n\n“\u003e\r\nIn the final stage of data collection, we have the threads below, which cycle the key directories looking for txt and\r\ndoc files. It will save the filename of each txt or doc it finds, and store the file’s contents in various arrays.\r\n“\u003e\r\nFinally, before we proceed to the network segment of the malware, we have the code section performing the\r\nscreen captures:\r\nClass 2d10104b function 1b0b685() is one of the main modules that branches out to do the majority of the\r\nfunctionality, such as looping through directories. Once all data has been gathered, the threads converge and the\r\nremaining lines of code continue single threaded. It is then that the network calls begin and all the data is sent\r\nback to the C2.\r\nThe zipped data is encrypted via XOR with a 4 byte key and version number obtained from contacting the C2 via\r\na first network request. The second request sends the cyphered data back to the C2.\r\nPanel\r\nLike other stealers, Baldr comes with a panel that allows the customers (criminals that buy the product) to see\r\nhigh-level stats, as well as retrieve the stolen information. Below is a panel login page:\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/\r\nPage 12 of 14\n\nAnd here, in a screenshot posted by the threat actor on a forum, we see the inside of the panel:\r\nFinal analysis\r\nBaldr is a solid stealer that is being distributed in the wild. Its author and distributor are active in various forums\r\nto promote and defend their product against critics. During a short time span of only a few months, Baldr has gone\r\nthrough many versions, suggesting that its author is fixing bugs and interested in developing new features.\r\nBaldr will have to compete against other stealers and differentiate itself. However, the demand for such products is\r\nhigh, so we can expect to see many distributors use it as part of several campaigns.\r\nMalwarebytes users are protected against this threat, detected as Spyware.Baldr.\r\nThanks to S!Ri for additional contributions.\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/\r\nPage 13 of 14\n\nIndicators of compromise\r\nBaldr samples\r\n5464be2fd1862f850bdb9fc5536eceafb60c49835dd112e0cd91dabef0ffcec5 -\u003e version 1.2 1cd5f152cde33906c0be3\r\nNetwork traces\r\nhwid={redacted}\u0026os=Windows%207%20x64\u0026file=0\u0026cookie=0\u0026pswd=0\u0026credit=0\u0026autofill=0\u0026wallets=0\u0026id=BALDR\u0026ve\r\nSource: https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/\r\nhttps://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/"
	],
	"report_names": [
		"say-hello-baldr-new-stealer-market"
	],
	"threat_actors": [],
	"ts_created_at": 1775433970,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c8bee927197086fd30efc6d2acdc025bdf6ea37c.pdf",
		"text": "https://archive.orkl.eu/c8bee927197086fd30efc6d2acdc025bdf6ea37c.txt",
		"img": "https://archive.orkl.eu/c8bee927197086fd30efc6d2acdc025bdf6ea37c.jpg"
	}
}