{ "id": "6a0b0b41-13d5-4494-b618-253436170c6b", "created_at": "2026-04-06T00:18:39.676391Z", "updated_at": "2026-04-10T03:28:46.922783Z", "deleted_at": null, "sha1_hash": "cb3fc66e20723267fbe98eb1dbce90e9c1773f1a", "title": "The History of BlackGuard Stealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3948126, "plain_text": "The History of BlackGuard Stealer\r\nBy S2W\r\nPublished: 2022-07-08 · Archived: 2026-04-05 21:13:19 UTC\r\n12 min read\r\nMay 12, 2022\r\nAuthor: Jiho Kim | S2W TALON\r\nLast modified: May 12, 2022\r\nPress enter or click to view image in full size\r\nPhoto by Ranae Smith on Unsplash\r\nIntroduction of BlackGuard Stealer\r\nhttps://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4\r\nPage 1 of 18\n\nWith the recent rapid expansion of the blockchain market including NFTs, cybercriminals are mainly using info\r\nstealer malware to steal credentials and wallet data stored in personal PCs. In addition, as it is known that the\r\nLAPSUS$ group, which has recently performed data breaches against large enterprises around the world, has\r\nmainly used credentials stolen from info stealer malware, the risk to Stealer is rising significantly compared to the\r\npast.\r\nInfo stealer malware is a type of malware that steals credentials and sensitive information from an infected PC and\r\nthere are various stealers such as RedLine, Raccoon, and Vidar. S2W recently conducted and published an analysis\r\nof BlackGuard Stealer, which is being actively promoted in the DDW forum. In addition, as it has been confirmed\r\nthat a new version is being distributed, we would like to organize and disclose the history of BlackGuard Stealer.\r\nTimeline of BlackGuard Stealer\r\nThe operator who develops and sells BlackGuard Stealer uploaded the first promotional post about BlackGuard\r\nunder the title “New Stealer” on XSS, a dark web forum, on March 21, 2021. However, the post was closed for\r\nnot sending a deposit for sale, and the additional promotional post uploaded on April 8, 2021, about a month later,\r\nwas also temporarily suspended for the same reason. After that, there was no activity related to the BlackGuard\r\nStealer, but in January 2022, the activity started in earnest by sending a deposit and testing the product. The\r\nBlackGuard Stealer operator and developer had sold a loader program called RunPE before selling Blackguard.\r\nAccording to a first promotional post published by BlackGuard operators in March 2021, the initial version of\r\nBlackGuard had borrowed some code from open-source ‘StormKitty’. However, in addition to this, it was\r\nconfirmed that the code of BlackGuard is similar to that of ‘44Caliber’ and ‘Echelon Stealer’. It can be seen that\r\nthe BlackGuard operator initially referenced a part of the code from several known info stealers, but is changing\r\nthe internal structure little by little through periodic version updates.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4\r\nPage 2 of 18\n\nComplaints to BlackGuard Stealer Operators\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nCurrently, BlackGuard is receiving a lot of criticism from the XSS forums where they uploaded a promotions post.\r\nThe permanent version of BlackGuard is sold for $700, and one user claimed that the promotional content claimed\r\nby BlackGuard was different from the actual behavior. In fact, BlackGuard chose to exit rather than bypass after\r\nchecking anti-debugging. Also, there are some functions that do not work properly.\r\nMoreover, there is a vulnerability in the admin panel, and it is said that someone has already taken it. Since then,\r\nthe source of the panel has been leaked and we are now looking for additional vulnerabilities.\r\nSince these claims have been made, many users have been demanding a reasonable standard for why it is priced at\r\n$700 and a user said 500 rubles is a reasonable price. As mentioned by users, BlackGuard actually borrowed the\r\nsource code of ‘Stormkitty’ and ‘44caliber’, the panel code of ‘Evryal Stealer’, which he admitted. However, he\r\nclaimed that he only borrowed some code, and has rewritten it himself, continuing to assert that there is nothing\r\nwrong with it.\r\nOne user has been demanding a refund after this argument, claiming that he has been scammed.\r\nSummary of comparison\r\nhttps://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4\r\nPage 3 of 18\n\nPress enter or click to view image in full size\r\nThe BlackGuard versions mentioned in this report are v1.x, v2, v2.4, and v3.5, and the sample released in early\r\nApril 2022 seems to be a completely early version of BlackGuard, and now not only has the increased items to\r\nsteal, but the C2 communication method has also changed.\r\nAs BlackGuard started specifying the exact version from v2, samples found before that version were considered\r\nv1.x. In particular, v1.x mentioned in this report is an early version of BlackGuard. In particular, in this report,\r\nv1.x is treated as the early version of BlackGuard, but there are some differences in the items collected compared\r\nto the later version of v1.x. However, since the items collected in late v1.x and v2.x are the same, v1.x is referred\r\nto as v2.x\r\nIn the v2 and later versions, the target items to steal have changed, such as Wallet Extension on Browser,\r\nMessenger software, and some FTP credentials have been added to the target items, and ProtonVPN is completely\r\nexcluded from the target. In addition, while all the stolen information was leaked through v1.x Telegram bot API,\r\nfrom v2.x, the information is leaked through the C2 URL encoded inside the BlackGuard.\r\nBlackGuard v2.x and v3.5 have no significant difference in the target items except for the file size. This is\r\nbecause, as BlackGuard was updated to v3.5, the ‘SQLite.Interop.dll’ library, which was used to collect credentials\r\nstored in the browsers, has included it as a resource without downloading from the external server. In addition,\r\nthere is a characteristic that the XOR-ed Data Table changes for each major version.\r\nComparison of BlackGuard’s execution flow\r\nBlackGuard v1.x\r\n1. Download and run BlackGuard Stealer disguised as legitimate software\r\n2. Decoding configuration data and stealing sensitive information\r\n3. Anti-Debugging\r\n: Check the existence of DnSpy, a tool often used for C# malware analysis, and whether it is currently being\r\ndebugged\r\n4. Save the collected information and infected device information in the ChikenDir folder\r\n5. Compress the ChikenDir folder into a zip file\r\nhttps://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4\r\nPage 4 of 18\n\n6. Send the zip file via Telegram API\r\nBlackGuard v2.x \u0026 v3.5\r\n1. Download and run BlackGuard Stealer disguised as legitimate software\r\n2. Decoding configuration data and stealing sensitive information\r\n3. Check the country of the infected device and if it has been infected with BlackGuard\r\n4. Anti-Debugging\r\n: Detect whether the environment in which BlackGuard is executed is a sandbox environment, checks the\r\nexistence of Anti-Virus Product, and is being debugged\r\n5. Load the SQLite.Interop.dll library to be used to steal credentials on browsers\r\n6. Save the collected information and infected device information in the temporarily created folder\r\n7. Compress the folder where the collected information is stored into a zip or rar file\r\n8. Send the zip file to the C2 server using HTTP/HTTPS protocol\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4\r\nPage 5 of 18\n\nComparison of detailed behaviors by BlackGuard version\r\n1. Decoding Data\r\nBlackGuard Stealer contains XOR-ed data inside a specific class used for stealing credentials and sensitive\r\ninformation, and each version has a different data or decoding method.\r\nBlackGuard v1.x\r\nIn BlackGuard v1.x, data is stored in string format with Gzip compression and Base64 encoding.\r\nPress enter or click to view image in full size\r\nBlackGuard v2.x \u0026 v3.5\r\nFrom BlackGuard v2, XOR and Base64 encoding are applied instead of Gzip, and all encoded data is stored in a\r\nData Table. In the constructor of a specific class, XOR is performed on all data, and whenever each data is used,\r\nthe required data is extracted as much as the length from a specific offset position. Occasionally, additional\r\nhttps://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4\r\nPage 6 of 18\n\nBase64 decoding is performed for some strings. The same data is commonly found for each version of\r\nBlackGuard: v2.x uses Type C, and v3.5 uses Type D.\r\nPress enter or click to view image in full size\r\nAll BlackGuard versions have a Data Table containing XOR-ed strings, and it has been confirmed that there are\r\nalways included parts for each type. There are four major types of Data Tables identified so far, and it was\r\nconfirmed that the types of data tables change as the version is updated.\r\nPress enter or click to view image in full size\r\nThe following is a summary of the Data Table Type and C2 specification method for each BlackGuard sample.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4\r\nPage 7 of 18\n\n2. Check country \u0026 Identify infection\r\nCompared to BlackGuard v1.x, BlackGuard v2.x and v3.5 added features to check the infected device’s country\r\nand identify infection with BlackGuard. If the country of the infected device matches one of the lists below, the\r\nexecution is terminated.\r\nPress enter or click to view image in full size\r\nIn addition, by checking whether a specific folder exists in the infected device, it does if it is already infected, and\r\nthe folder name for identifying the infection appears differently depending on the sample.\r\n%LOCALAPPDATA%\\YRplay.tmp\r\n%LOCALAPPDATA%\\play.tmp\r\n%LOCALAPPDATA%\\poet.nuee\r\n%LOCALAPPDATA%\\monthteam.inc\r\n%UserProfile%\\Documents\\rgeEtjhgjg.txt\r\n3. Virtualization/Sandbox Evasion\r\nIn BlackGuard v1.x, the existence of DnSpy and current debugging were checked, but after BlackGuard v2, the\r\nAnti-Debugging check process has changed. Now, it checks whether the execution is performed in the sandbox\r\nenvironment and whether the AntiVirus Product is installed. This is done by checking whether a specific library\r\nexists in the infected PC environment, and if a related library is detected, BlackGuard terminates itself. The list of\r\nlibraries detected by BlackGuard is as follows.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4\r\nPage 8 of 18\n\n4. Utilize SQLite.Interop.dll\r\nInformation such as login accounts, cookies, and web history stored in the browser that BlackGuard collects, is\r\nstored in the form of SQLite Database in the installation path. In the case of v1.x, after copying the database file,\r\nthe accounts and cookie values in the file are extracted using the DPAPI Decrypt function.\r\nHowever, after v2, it has changed to a method of directly reading the database by using SQLite.Interop.dll. At this\r\ntime, the method of loading SQLite.Interop.dll is different between BlackGuard v2.4 and v3.5.\r\nBlackGuard v2.4 downloaded SQLite.Interop.dll file using WebClient.DownloadData() function from external C2\r\nServer, whereas BlackGuard v3.5 downloads the library file from the C2 Server is removed and has included in\r\nthe resource to be used by calling in the stealing function. It is assumed that this is to prevent being detected by\r\nAV in the process of downloading the library.\r\nPress enter or click to view image in full size\r\nData collection by BlackGuard version\r\n1. Changes in Target Software\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4\r\nPage 9 of 18\n\nRed box: Removed from v2.x and v3.5 / Green box: Added in v2.x and v3.5\r\nIn BlackGuard v1.x, infected device information such as OS version, IPv4, and the country was collected as much\r\nas possible, but in v2 and later, the redundant or unnecessary data was excluded. In particular, after v2, wallet\r\nextension on the browser and some FTP software and Messenger, which were not collected in the early version of\r\nBlackGuard, have been added to the target items, and BlackGuard version information is additionally saved when\r\ncollecting infected devices. In addition, stealing of ProtonVPN and Steam credentials has been completely\r\nexcluded since v2, and credit card information in the browser was also excluded from the target.\r\nThe table that organizes the collected data changed according to the BlackGuard version by type is as follows. The\r\ntable below summarizes the changes in collected data by type.\r\nThe details of the items BlackGuard collects are as follows.\r\nhttps://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4\r\nPage 10 of 18\n\nPress enter or click to view image in full size\r\nTotal Commander data not collected due to coding error\r\nBlackGuard also collects information related to Total Commander (GHISLER) from v2 onwards, but it was not\r\nperformed successfully as a result of code analysis.\r\nAfter creating the GHISLER folder, BlackGuard tried to copy the wcx_ftp.ini file from the Total Commander\r\ninstallation path to the GHISLER folder. However, due to incorrect code writing, the files related to Total\r\nCommander are not collected successfully because the parameters are set incorrectly in the process of copying the\r\nTotal Commander file. This appears to be a coding error of the BlackGuard Stealer operator, and as a result of\r\nactual testing, it was confirmed that information related to Total Commander was not normally collected.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4\r\nPage 11 of 18\n\n2. Target Browser for Credential Collection\r\nAs the BlackGuard version was updated, credentials of Edge Browser were also added in v2.x and v3.5.\r\nPress enter or click to view image in full size\r\nIn addition, v2.x and v3.5 have been changed to separately collect and store cookies and passwords in each\r\nbrowser. v2 and v2.4 have different target browsers, and v2.4 and v3.5 have the same target browser.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\n3. Crypto Wallet\r\nhttps://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4\r\nPage 12 of 18\n\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nCompared to BlackGuard v1.x, v2.x and v3.5 have also changed the list of Crypto Wallets they collect. As the\r\nversion was updated, some wallets were added and Coinomi was excluded from the list.\r\nPress enter or click to view image in full size\r\n4. Wallet Extension on Browser\r\nBlackGuard v2.x and v3.5 steal wallet data files in the wallet extension installation folder on Chrome, Edge, and\r\nEdge Beta. The list of target wallet extensions collected by BlackGuard v2.x and v3.5 is the same.\r\nPress enter or click to view image in full size\r\n5. Changes in collected data\r\nBlackGuard Stealer collects infected device information and various types of credentials, stores them in a folder\r\ncreated temporarily, and separately stores the number of collected information. The items commonly collected\r\nregardless of the BlackGuard version are shown in the table below.\r\nCommonly Collected Items\r\nPress enter or click to view image in full size\r\nThe target items collected for each version\r\nhttps://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4\r\nPage 13 of 18\n\nThere are some differences in the target items collected depending on the version. Compared to v1.x, which is the\r\nearly version of BlackGuard, in v2.x and v3.5, wallet extensions on browsers, Messenger software, FTP software,\r\nIM client, and Outlook information are additionally collected. It was also confirmed that Steam-related\r\ninformation and ProtonVPN information are no longer collected.\r\nThe figure below compares the items collected by BlackGuard v1.x and v2.x~v3.5.\r\nPress enter or click to view image in full size\r\nRed box: Removed from v2.x \u0026 v3.5 / Green box: Modified from v2.x \u0026 v3.5 / Purple box:\r\nModified from v2.x\r\nInformation.txt\r\nIn BlackGuard v2.x and v3.5, BlackGuard version information was added to Information.txt, and the current date,\r\nwhich is a duplicate value with the log date, and information related to screen size, which are relatively low in\r\nimportance, were deleted.\r\nPress enter or click to view image in full size\r\nChanges in C2 Communication\r\nhttps://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4\r\nPage 14 of 18\n\nBlackGuard Stealer compresses the folder where the collected data is stored and transfer it to the C2 Server. There\r\nis a difference in the C2 communication method from BlackGuard v1.x and v2 and later.\r\nBlackGuard v1.x\r\nEarly versions of BlackGuard utilize Telegram Bot API to transfer compressed files to C2 Server. When all\r\ninformation is collected, the compressed file is leaked using the bot token hard-coded in the BlackGuard through\r\nthe POST method.\r\nBlackGuard v2.4 \u0026 v3.5\r\nThe updated BlackGuard uses a hard-coded C2 URL instead of Telegram Bot API. The compressed folder is\r\ntransferred to C2 Server through WebClient.UploadFile() function and POST method.\r\nThe table summarizing the C2 communication methods for each BlackGuard version is as follows.\r\nPress enter or click to view image in full size\r\nConclusion\r\nBlackGuard Stealer has been very active on the forums since its appearance in March 2021.\r\nIt is estimated that the development continues, and the feedback from users is reflected immediately, such\r\nas expanding the target items and deleting low-importance targets.\r\nConsidering the type of credential to be collected and the fact that it has been actively distributed recently,\r\nit seems that there is a possibility that it will develop into a high-impact Stealer malware such as Redline,\r\nVidal, Raccoon, and Ficker Stealer, however, in reality the code is not as good as we think and outdated.\r\nHe is currently under a lot of criticism and we will continue to monitor what BlackGuard opeartor will do\r\nin the future.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4\r\nPage 15 of 18\n\nAppendix. A: IoCs\r\nSample Hash\r\n67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71\r\n3d3de136d6a22e6064a306452dab72dc70493b02f8f4a505f00bf3dc59e971d3\r\n52bd68ea60e7171ed2413cd5292b74ac9872928a1a723405fb73ad57419c5bc6\r\n0fc2a7d0dc1a3b0ec547deae8dc296a0b139f94f7f8609c91a8f04a8f939a3e9\r\n3c5a8e9820b549a70a353997bbce4fe16956dbab22dedde2f358f0f10930cf44\r\n4f4d29507bafc223646d98f5fed78d52dd96caeee2072ff17b15718b45a1811f\r\n216c960ac6ef399e7ff33b18c03777237ced76d59ce0f8bb4d5f9a22e85b3bd8\r\n352c936eaf45ffd2f99ba2a9e726eaa39af29d4c37a6ad5106849f07aa35896c\r\n5293c26f29b4af6bc2f3f74ae1ed93537e6c311a695cc0a6920a635c57383617\r\n30023cfbcb45d75e461333e376fde3b053c33de84b88c64ef816c9f77e45b21f\r\nba2bc430c4661aab84cf7e8fedf2684e5fc106f7797af4553aef7490193b00a6\r\nd888dafb1f2ae06311d507e5d3dfa41c851df2175e8441255e2095c09a058d0a\r\n7976a7aa5618c833edfebdbc29853c2f433ce1095a752a177deb76d7f68188be\r\nbbc8ac47d3051fbab328d4a8a4c1c8819707ac045ab6ac94b1997dac59be2ece\r\n4d66b5a09f4e500e7df0794552829c925a5728ad0acd9e68ec020e138abe80ac\r\n7f2542ed2768a8bd5f6054eaf3c5f75cb4f77c0c8e887e58b613cb43d9dd9c13\r\nbee035da35ac47830dd70acb3346992a76afa40433e13539883d82114fa94116\r\nb287dcb70b7a9ed7025171572a96f1447efa6adf88cd30aba591270052acfe8b\r\nhttps://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4\r\nPage 16 of 18\n\nda5fdea2780ff2e36a3594283a24846c19953daf03063a875073deecc183c3ff\r\n5b8d0e358948f885ad1e6fa854f637c1e30036bc217f2c7f2579a8782d472cda\r\n15fc2939e2e67f1317f2e549b8214e83b8e1c493d94eeff2cf4a1cf58b94274f\r\n18db274624914ee6388bda20233db28307be4873bc053e05ad8f6761b217136f\r\n26ebf8a0830652c9ea0de64dc0dca6d62caffc0aaa34abf43e7c410095c502ce\r\n76b90299713b5d4ffd3c92b2cd66b3de68148c3133f927dfa385b075fd00d5b1\r\n62416ed5c114e347643b51879ee8a75e8a871ab7c02679402f99aaf697e9f9e8\r\nc5c1a48c0062e113389988d4c70dbcc1a594da3b516dfe14185e622b9050b649\r\nd3b27ba36d01a6ed5492d662c20b38569b0019c29fe065e8f810b369fba76531\r\n5ce632f1f10c96a7524bf384015c25681ef4771f09a6b86883a4da309d85452a\r\n918af1137f069eccc04220c280e13ed440a380aa0446cfa1d80b4e0ade6c3528\r\n9fff9895c476bee0cba9d3e209e841873f1756d18c40afa1b364bd2d8446997c\r\nc1237d0e517abc7cd15bb55110196247b1f6ec397c28b8b2bdfba86dc5c8805f\r\n3f36af60743bfb923246e36bb860ff9021986c9e88c5a4176b67a4d0923125b8\r\nf2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d\r\n31e0abc1e5c117f3c4d07b7ec1d876118d7c8830565820ad9eca3573382f49b0\r\nc98e24c174130bba4836e08d24170866aa7128d62d3e2b25f3bc8562fdc74a66\r\nf47db48129530cf19f3c42f0c9f38ce1915f403469483661999dc2b19e12650b\r\n31c4edabd35f8a9d0695c96f21acd8787eec68b8028973470d64c4956d9f1cd1\r\n3335f6aff82ff30e3aa29e0cb487be0252ab7b6cf7fcbb074c5642c1f0d7d0c0\r\n5aa891744286c1a5d60e408b1799bf8fceaba51c75dde12d62ee1ec56941fadf\r\n55ddb7ab485a2bf4aa65ad404ee9bbbf726ff1361e95a098d514e700ab9ffa6b\r\nC2 URL\r\nhttps[:]//api[.]telegram[.]org/bot1068601339:AAGUm6n8fS0wwbMhDzm8XXbjUYb6Vb9–64Q\r\nhttps[:]//api[.]telegram[.]org/bot1625195044:AAHK-2Z52Nk0cJXJ-G7Ad1kKnmzwMberIVU\r\nhttps[:]//api[.]telegram[.]org/bot1822617155:AAF5DW4sJVsYGItkXWeX3elycmmu-6nOK8g\r\nhttps[:]//api[.]telegram[.]org/bot1840568117:AAGlvKQeSfXkObSE7__yYc5jM9o8qSrkFUw\r\nhttps[:]//api[.]telegram[.]org/bot2113738307:AAEFFkU5zCHejtwoMag2cI5zpW4JKy8A5jI\r\nhttps[:]//api[.]telegram[.]org/bot2029788337:AAH5_pYeay9X4P5MpT2OjpO_WEdpwJdVhb4\r\nhttps[:]//api[.]telegram[.]org/bot2088622057:AAHBeaoCOwatBAei8rEaCpsgBnxT3LGE5eM\r\nhttps[:]//api[.]telegram[.]org/bot5000057429:AAGzxzARC3DPcOsfaw0jKHEyHfyEfZqVYQM\r\nhttps[:]//blguard[.]shop/\r\nhttps[:]//greenblguard[.]shop/\r\nhttps[:]//umpulumpu[.]ru/\r\nhttps[:]//onetwostep[.]at/\r\nhttps[:]//win[.]mirtonewbacker[.]com/\r\nhttp[:]//funkyjazz[.]me/\r\nhttps[:]//ritmflow[.]online/\r\nhttp[:]//185[.]173[.]157[.]26/\r\nhttp[:]//79[.]141[.]162[.]7/\r\nhttps://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4\r\nPage 17 of 18\n\nAppendix. B: MITRE ATT\u0026CK MATRIX\r\nPress enter or click to view image in full size\r\nP.S. Thank you for the feedback, BlackGuard\r\nPress enter or click to view image in full size\r\nSource: https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4\r\nhttps://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4" ], "report_names": [ "the-history-of-blackguard-stealer-86207e72ffb4" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434719, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cb3fc66e20723267fbe98eb1dbce90e9c1773f1a.pdf", "text": "https://archive.orkl.eu/cb3fc66e20723267fbe98eb1dbce90e9c1773f1a.txt", "img": "https://archive.orkl.eu/cb3fc66e20723267fbe98eb1dbce90e9c1773f1a.jpg" } }