The History of BlackGuard Stealer
By S2W
Published: 2022-07-08 · Archived: 2026-04-05 21:13:19 UTC
12 min read
May 12, 2022
Author: Jiho Kim | S2W TALON
Last modified: May 12, 2022
Press enter or click to view image in full size
Photo by Ranae Smith on Unsplash
Introduction of BlackGuard Stealer
https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4
Page 1 of 18

With the recent rapid expansion of the blockchain market including NFTs, cybercriminals are mainly using info
stealer malware to steal credentials and wallet data stored in personal PCs. In addition, as it is known that the
LAPSUS$ group, which has recently performed data breaches against large enterprises around the world, has
mainly used credentials stolen from info stealer malware, the risk to Stealer is rising significantly compared to the
past.
Info stealer malware is a type of malware that steals credentials and sensitive information from an infected PC and
there are various stealers such as RedLine, Raccoon, and Vidar. S2W recently conducted and published an analysis
of BlackGuard Stealer, which is being actively promoted in the DDW forum. In addition, as it has been confirmed
that a new version is being distributed, we would like to organize and disclose the history of BlackGuard Stealer.
Timeline of BlackGuard Stealer
The operator who develops and sells BlackGuard Stealer uploaded the first promotional post about BlackGuard
under the title “New Stealer” on XSS, a dark web forum, on March 21, 2021. However, the post was closed for
not sending a deposit for sale, and the additional promotional post uploaded on April 8, 2021, about a month later,
was also temporarily suspended for the same reason. After that, there was no activity related to the BlackGuard
Stealer, but in January 2022, the activity started in earnest by sending a deposit and testing the product. The
BlackGuard Stealer operator and developer had sold a loader program called RunPE before selling Blackguard.
According to a first promotional post published by BlackGuard operators in March 2021, the initial version of
BlackGuard had borrowed some code from open-source ‘StormKitty’. However, in addition to this, it was
confirmed that the code of BlackGuard is similar to that of ‘44Caliber’ and ‘Echelon Stealer’. It can be seen that
the BlackGuard operator initially referenced a part of the code from several known info stealers, but is changing
the internal structure little by little through periodic version updates.
Press enter or click to view image in full size
https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4
Page 2 of 18

Complaints to BlackGuard Stealer Operators
Press enter or click to view image in full size
Press enter or click to view image in full size
Currently, BlackGuard is receiving a lot of criticism from the XSS forums where they uploaded a promotions post.
The permanent version of BlackGuard is sold for $700, and one user claimed that the promotional content claimed
by BlackGuard was different from the actual behavior. In fact, BlackGuard chose to exit rather than bypass after
checking anti-debugging. Also, there are some functions that do not work properly.
Moreover, there is a vulnerability in the admin panel, and it is said that someone has already taken it. Since then,
the source of the panel has been leaked and we are now looking for additional vulnerabilities.
Since these claims have been made, many users have been demanding a reasonable standard for why it is priced at
$700 and a user said 500 rubles is a reasonable price. As mentioned by users, BlackGuard actually borrowed the
source code of ‘Stormkitty’ and ‘44caliber’, the panel code of ‘Evryal Stealer’, which he admitted. However, he
claimed that he only borrowed some code, and has rewritten it himself, continuing to assert that there is nothing
wrong with it.
One user has been demanding a refund after this argument, claiming that he has been scammed.
Summary of comparison
https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4
Page 3 of 18

Press enter or click to view image in full size
The BlackGuard versions mentioned in this report are v1.x, v2, v2.4, and v3.5, and the sample released in early
April 2022 seems to be a completely early version of BlackGuard, and now not only has the increased items to
steal, but the C2 communication method has also changed.
As BlackGuard started specifying the exact version from v2, samples found before that version were considered
v1.x. In particular, v1.x mentioned in this report is an early version of BlackGuard. In particular, in this report,
v1.x is treated as the early version of BlackGuard, but there are some differences in the items collected compared
to the later version of v1.x. However, since the items collected in late v1.x and v2.x are the same, v1.x is referred
to as v2.x
In the v2 and later versions, the target items to steal have changed, such as Wallet Extension on Browser,
Messenger software, and some FTP credentials have been added to the target items, and ProtonVPN is completely
excluded from the target. In addition, while all the stolen information was leaked through v1.x Telegram bot API,
from v2.x, the information is leaked through the C2 URL encoded inside the BlackGuard.
BlackGuard v2.x and v3.5 have no significant difference in the target items except for the file size. This is
because, as BlackGuard was updated to v3.5, the ‘SQLite.Interop.dll’ library, which was used to collect credentials
stored in the browsers, has included it as a resource without downloading from the external server. In addition,
there is a characteristic that the XOR-ed Data Table changes for each major version.
Comparison of BlackGuard’s execution flow
BlackGuard v1.x
1. Download and run BlackGuard Stealer disguised as legitimate software
2. Decoding configuration data and stealing sensitive information
3. Anti-Debugging
: Check the existence of DnSpy, a tool often used for C# malware analysis, and whether it is currently being
debugged
4. Save the collected information and infected device information in the ChikenDir folder
5. Compress the ChikenDir folder into a zip file
https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4
Page 4 of 18

6. Send the zip file via Telegram API
BlackGuard v2.x & v3.5
1. Download and run BlackGuard Stealer disguised as legitimate software
2. Decoding configuration data and stealing sensitive information
3. Check the country of the infected device and if it has been infected with BlackGuard
4. Anti-Debugging
: Detect whether the environment in which BlackGuard is executed is a sandbox environment, checks the
existence of Anti-Virus Product, and is being debugged
5. Load the SQLite.Interop.dll library to be used to steal credentials on browsers
6. Save the collected information and infected device information in the temporarily created folder
7. Compress the folder where the collected information is stored into a zip or rar file
8. Send the zip file to the C2 server using HTTP/HTTPS protocol
Press enter or click to view image in full size
Press enter or click to view image in full size
https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4
Page 5 of 18

Comparison of detailed behaviors by BlackGuard version
1. Decoding Data
BlackGuard Stealer contains XOR-ed data inside a specific class used for stealing credentials and sensitive
information, and each version has a different data or decoding method.
BlackGuard v1.x
In BlackGuard v1.x, data is stored in string format with Gzip compression and Base64 encoding.
Press enter or click to view image in full size
BlackGuard v2.x & v3.5
From BlackGuard v2, XOR and Base64 encoding are applied instead of Gzip, and all encoded data is stored in a
Data Table. In the constructor of a specific class, XOR is performed on all data, and whenever each data is used,
the required data is extracted as much as the length from a specific offset position. Occasionally, additional
https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4
Page 6 of 18

Base64 decoding is performed for some strings. The same data is commonly found for each version of
BlackGuard: v2.x uses Type C, and v3.5 uses Type D.
Press enter or click to view image in full size
All BlackGuard versions have a Data Table containing XOR-ed strings, and it has been confirmed that there are
always included parts for each type. There are four major types of Data Tables identified so far, and it was
confirmed that the types of data tables change as the version is updated.
Press enter or click to view image in full size
The following is a summary of the Data Table Type and C2 specification method for each BlackGuard sample.
Press enter or click to view image in full size
https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4
Page 7 of 18

2. Check country & Identify infection
Compared to BlackGuard v1.x, BlackGuard v2.x and v3.5 added features to check the infected device’s country
and identify infection with BlackGuard. If the country of the infected device matches one of the lists below, the
execution is terminated.
Press enter or click to view image in full size
In addition, by checking whether a specific folder exists in the infected device, it does if it is already infected, and
the folder name for identifying the infection appears differently depending on the sample.
%LOCALAPPDATA%\YRplay.tmp
%LOCALAPPDATA%\play.tmp
%LOCALAPPDATA%\poet.nuee
%LOCALAPPDATA%\monthteam.inc
%UserProfile%\Documents\rgeEtjhgjg.txt
3. Virtualization/Sandbox Evasion
In BlackGuard v1.x, the existence of DnSpy and current debugging were checked, but after BlackGuard v2, the
Anti-Debugging check process has changed. Now, it checks whether the execution is performed in the sandbox
environment and whether the AntiVirus Product is installed. This is done by checking whether a specific library
exists in the infected PC environment, and if a related library is detected, BlackGuard terminates itself. The list of
libraries detected by BlackGuard is as follows.
Press enter or click to view image in full size
https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4
Page 8 of 18

4. Utilize SQLite.Interop.dll
Information such as login accounts, cookies, and web history stored in the browser that BlackGuard collects, is
stored in the form of SQLite Database in the installation path. In the case of v1.x, after copying the database file,
the accounts and cookie values in the file are extracted using the DPAPI Decrypt function.
However, after v2, it has changed to a method of directly reading the database by using SQLite.Interop.dll. At this
time, the method of loading SQLite.Interop.dll is different between BlackGuard v2.4 and v3.5.
BlackGuard v2.4 downloaded SQLite.Interop.dll file using WebClient.DownloadData() function from external C2
Server, whereas BlackGuard v3.5 downloads the library file from the C2 Server is removed and has included in
the resource to be used by calling in the stealing function. It is assumed that this is to prevent being detected by
AV in the process of downloading the library.
Press enter or click to view image in full size
Data collection by BlackGuard version
1. Changes in Target Software
Press enter or click to view image in full size
https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4
Page 9 of 18

Red box: Removed from v2.x and v3.5 / Green box: Added in v2.x and v3.5
In BlackGuard v1.x, infected device information such as OS version, IPv4, and the country was collected as much
as possible, but in v2 and later, the redundant or unnecessary data was excluded. In particular, after v2, wallet
extension on the browser and some FTP software and Messenger, which were not collected in the early version of
BlackGuard, have been added to the target items, and BlackGuard version information is additionally saved when
collecting infected devices. In addition, stealing of ProtonVPN and Steam credentials has been completely
excluded since v2, and credit card information in the browser was also excluded from the target.
The table that organizes the collected data changed according to the BlackGuard version by type is as follows. The
table below summarizes the changes in collected data by type.
The details of the items BlackGuard collects are as follows.
https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4
Page 10 of 18

Press enter or click to view image in full size
Total Commander data not collected due to coding error
BlackGuard also collects information related to Total Commander (GHISLER) from v2 onwards, but it was not
performed successfully as a result of code analysis.
After creating the GHISLER folder, BlackGuard tried to copy the wcx_ftp.ini file from the Total Commander
installation path to the GHISLER folder. However, due to incorrect code writing, the files related to Total
Commander are not collected successfully because the parameters are set incorrectly in the process of copying the
Total Commander file. This appears to be a coding error of the BlackGuard Stealer operator, and as a result of
actual testing, it was confirmed that information related to Total Commander was not normally collected.
Press enter or click to view image in full size
https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4
Page 11 of 18

2. Target Browser for Credential Collection
As the BlackGuard version was updated, credentials of Edge Browser were also added in v2.x and v3.5.
Press enter or click to view image in full size
In addition, v2.x and v3.5 have been changed to separately collect and store cookies and passwords in each
browser. v2 and v2.4 have different target browsers, and v2.4 and v3.5 have the same target browser.
Press enter or click to view image in full size
Press enter or click to view image in full size
3. Crypto Wallet
https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4
Page 12 of 18

Get S2W’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
Compared to BlackGuard v1.x, v2.x and v3.5 have also changed the list of Crypto Wallets they collect. As the
version was updated, some wallets were added and Coinomi was excluded from the list.
Press enter or click to view image in full size
4. Wallet Extension on Browser
BlackGuard v2.x and v3.5 steal wallet data files in the wallet extension installation folder on Chrome, Edge, and
Edge Beta. The list of target wallet extensions collected by BlackGuard v2.x and v3.5 is the same.
Press enter or click to view image in full size
5. Changes in collected data
BlackGuard Stealer collects infected device information and various types of credentials, stores them in a folder
created temporarily, and separately stores the number of collected information. The items commonly collected
regardless of the BlackGuard version are shown in the table below.
Commonly Collected Items
Press enter or click to view image in full size
The target items collected for each version
https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4
Page 13 of 18

There are some differences in the target items collected depending on the version. Compared to v1.x, which is the
early version of BlackGuard, in v2.x and v3.5, wallet extensions on browsers, Messenger software, FTP software,
IM client, and Outlook information are additionally collected. It was also confirmed that Steam-related
information and ProtonVPN information are no longer collected.
The figure below compares the items collected by BlackGuard v1.x and v2.x~v3.5.
Press enter or click to view image in full size
Red box: Removed from v2.x & v3.5 / Green box: Modified from v2.x & v3.5 / Purple box:
Modified from v2.x
Information.txt
In BlackGuard v2.x and v3.5, BlackGuard version information was added to Information.txt, and the current date,
which is a duplicate value with the log date, and information related to screen size, which are relatively low in
importance, were deleted.
Press enter or click to view image in full size
Changes in C2 Communication
https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4
Page 14 of 18

BlackGuard Stealer compresses the folder where the collected data is stored and transfer it to the C2 Server. There
is a difference in the C2 communication method from BlackGuard v1.x and v2 and later.
BlackGuard v1.x
Early versions of BlackGuard utilize Telegram Bot API to transfer compressed files to C2 Server. When all
information is collected, the compressed file is leaked using the bot token hard-coded in the BlackGuard through
the POST method.
BlackGuard v2.4 & v3.5
The updated BlackGuard uses a hard-coded C2 URL instead of Telegram Bot API. The compressed folder is
transferred to C2 Server through WebClient.UploadFile() function and POST method.
The table summarizing the C2 communication methods for each BlackGuard version is as follows.
Press enter or click to view image in full size
Conclusion
BlackGuard Stealer has been very active on the forums since its appearance in March 2021.
It is estimated that the development continues, and the feedback from users is reflected immediately, such
as expanding the target items and deleting low-importance targets.
Considering the type of credential to be collected and the fact that it has been actively distributed recently,
it seems that there is a possibility that it will develop into a high-impact Stealer malware such as Redline,
Vidal, Raccoon, and Ficker Stealer, however, in reality the code is not as good as we think and outdated.
He is currently under a lot of criticism and we will continue to monitor what BlackGuard opeartor will do
in the future.
Press enter or click to view image in full size
https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4
Page 15 of 18

Appendix. A: IoCs
Sample Hash
67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71
3d3de136d6a22e6064a306452dab72dc70493b02f8f4a505f00bf3dc59e971d3
52bd68ea60e7171ed2413cd5292b74ac9872928a1a723405fb73ad57419c5bc6
0fc2a7d0dc1a3b0ec547deae8dc296a0b139f94f7f8609c91a8f04a8f939a3e9
3c5a8e9820b549a70a353997bbce4fe16956dbab22dedde2f358f0f10930cf44
4f4d29507bafc223646d98f5fed78d52dd96caeee2072ff17b15718b45a1811f
216c960ac6ef399e7ff33b18c03777237ced76d59ce0f8bb4d5f9a22e85b3bd8
352c936eaf45ffd2f99ba2a9e726eaa39af29d4c37a6ad5106849f07aa35896c
5293c26f29b4af6bc2f3f74ae1ed93537e6c311a695cc0a6920a635c57383617
30023cfbcb45d75e461333e376fde3b053c33de84b88c64ef816c9f77e45b21f
ba2bc430c4661aab84cf7e8fedf2684e5fc106f7797af4553aef7490193b00a6
d888dafb1f2ae06311d507e5d3dfa41c851df2175e8441255e2095c09a058d0a
7976a7aa5618c833edfebdbc29853c2f433ce1095a752a177deb76d7f68188be
bbc8ac47d3051fbab328d4a8a4c1c8819707ac045ab6ac94b1997dac59be2ece
4d66b5a09f4e500e7df0794552829c925a5728ad0acd9e68ec020e138abe80ac
7f2542ed2768a8bd5f6054eaf3c5f75cb4f77c0c8e887e58b613cb43d9dd9c13
bee035da35ac47830dd70acb3346992a76afa40433e13539883d82114fa94116
b287dcb70b7a9ed7025171572a96f1447efa6adf88cd30aba591270052acfe8b
https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4
Page 16 of 18

da5fdea2780ff2e36a3594283a24846c19953daf03063a875073deecc183c3ff
5b8d0e358948f885ad1e6fa854f637c1e30036bc217f2c7f2579a8782d472cda
15fc2939e2e67f1317f2e549b8214e83b8e1c493d94eeff2cf4a1cf58b94274f
18db274624914ee6388bda20233db28307be4873bc053e05ad8f6761b217136f
26ebf8a0830652c9ea0de64dc0dca6d62caffc0aaa34abf43e7c410095c502ce
76b90299713b5d4ffd3c92b2cd66b3de68148c3133f927dfa385b075fd00d5b1
62416ed5c114e347643b51879ee8a75e8a871ab7c02679402f99aaf697e9f9e8
c5c1a48c0062e113389988d4c70dbcc1a594da3b516dfe14185e622b9050b649
d3b27ba36d01a6ed5492d662c20b38569b0019c29fe065e8f810b369fba76531
5ce632f1f10c96a7524bf384015c25681ef4771f09a6b86883a4da309d85452a
918af1137f069eccc04220c280e13ed440a380aa0446cfa1d80b4e0ade6c3528
9fff9895c476bee0cba9d3e209e841873f1756d18c40afa1b364bd2d8446997c
c1237d0e517abc7cd15bb55110196247b1f6ec397c28b8b2bdfba86dc5c8805f
3f36af60743bfb923246e36bb860ff9021986c9e88c5a4176b67a4d0923125b8
f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d
31e0abc1e5c117f3c4d07b7ec1d876118d7c8830565820ad9eca3573382f49b0
c98e24c174130bba4836e08d24170866aa7128d62d3e2b25f3bc8562fdc74a66
f47db48129530cf19f3c42f0c9f38ce1915f403469483661999dc2b19e12650b
31c4edabd35f8a9d0695c96f21acd8787eec68b8028973470d64c4956d9f1cd1
3335f6aff82ff30e3aa29e0cb487be0252ab7b6cf7fcbb074c5642c1f0d7d0c0
5aa891744286c1a5d60e408b1799bf8fceaba51c75dde12d62ee1ec56941fadf
55ddb7ab485a2bf4aa65ad404ee9bbbf726ff1361e95a098d514e700ab9ffa6b
C2 URL
https[:]//api[.]telegram[.]org/bot1068601339:AAGUm6n8fS0wwbMhDzm8XXbjUYb6Vb9–64Q
https[:]//api[.]telegram[.]org/bot1625195044:AAHK-2Z52Nk0cJXJ-G7Ad1kKnmzwMberIVU
https[:]//api[.]telegram[.]org/bot1822617155:AAF5DW4sJVsYGItkXWeX3elycmmu-6nOK8g
https[:]//api[.]telegram[.]org/bot1840568117:AAGlvKQeSfXkObSE7__yYc5jM9o8qSrkFUw
https[:]//api[.]telegram[.]org/bot2113738307:AAEFFkU5zCHejtwoMag2cI5zpW4JKy8A5jI
https[:]//api[.]telegram[.]org/bot2029788337:AAH5_pYeay9X4P5MpT2OjpO_WEdpwJdVhb4
https[:]//api[.]telegram[.]org/bot2088622057:AAHBeaoCOwatBAei8rEaCpsgBnxT3LGE5eM
https[:]//api[.]telegram[.]org/bot5000057429:AAGzxzARC3DPcOsfaw0jKHEyHfyEfZqVYQM
https[:]//blguard[.]shop/
https[:]//greenblguard[.]shop/
https[:]//umpulumpu[.]ru/
https[:]//onetwostep[.]at/
https[:]//win[.]mirtonewbacker[.]com/
http[:]//funkyjazz[.]me/
https[:]//ritmflow[.]online/
http[:]//185[.]173[.]157[.]26/
http[:]//79[.]141[.]162[.]7/
https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4
Page 17 of 18

Appendix. B: MITRE ATT&CK MATRIX
Press enter or click to view image in full size
P.S. Thank you for the feedback, BlackGuard
Press enter or click to view image in full size
Source: https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4
https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4
Page 18 of 18