{ "id": "dff1ccd0-5427-4594-8ab2-6ba5190901b7", "created_at": "2026-04-06T00:17:56.80672Z", "updated_at": "2026-04-10T03:36:48.11005Z", "deleted_at": null, "sha1_hash": "e91602657229210155b0fac0bcf70ba4d7c23e2d", "title": "Open Source Stealers (OSS) – Python", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7313108, "plain_text": "Open Source Stealers (OSS) – Python\r\nPublished: 2024-01-02 · Archived: 2026-04-05 18:53:44 UTC\r\nPython has dominated over other programming languages over the decade and it keeps growing with the support of\r\nits open source community. There are many open source python projects and applications that are popular and used\r\nby millions of users; but have you heard of open source malware? In recent times, many open source repositories\r\npublish working python code to execute data theft operations. With a little knowledge of the Python language,\r\nanybody can build the malware and deploy it to the victim’s machine. \r\nBlankGrabber\r\nRecently we received a sample from the Third Party antivirus tester, which on the outset looked like a python based\r\nbinary but was not classified as a pyinstaller packer when we scan with the “Detect it easy” tool as shown below. We\r\nfound this sample to be the BlankGrabber malware and we will analyse it in this blog.\r\nFigure 1: File type Scan\r\nBut when we looked at the strings of the executable, they were found to be related to Python as seen in Figure 2,\r\nwhich kindled us to investigate further.\r\nhttps://labs.k7computing.com/index.php/open-source-stealers-oss-python/\r\nPage 1 of 18\n\nFigure 2: Strings found in the sample\r\nLet’s quickly analyse the sample and we will look at the building process\r\nSample Analysis\r\nExecutable looks legitimate with bare eyes and it also got a certificate, although fake, and uses the version\r\ninformation from the “On-Screen Keyboard” which is a benign software of Microsoft as shown in Figure 3 and 4.\r\nhttps://labs.k7computing.com/index.php/open-source-stealers-oss-python/\r\nPage 2 of 18\n\nFigure 3: Version details\r\nFigure 4: Sign details\r\nAs this is a pyinstaller executable, pyinstxtractor (https://github.com/extremecoders-re/pyinstxtractor) can extract the\r\narchive’s content. Compiled file “loader-o.pyc” can be decompiled using pycdc (https://github.com/zrax/pycdc). \r\nhttps://labs.k7computing.com/index.php/open-source-stealers-oss-python/\r\nPage 3 of 18\n\nFigure 5: Decompiled file – loader-o.py (Entry point)\r\nWhen we run the script (Figure 5), the decrypted “stub-o.pyc” file will be archived inside the blank.aes. Further\r\ndecompiling the “stub-o.pyc” file will give obfuscated code as shown below.\r\nFigure 6: Obfuscated code\r\nHad to write a small decompile script based on the source code and used the python “dis” module to get the\r\ndisassembled code. \r\nPre-execution check\r\nBefore collecting the data from the victim’s machine, stealer creates mutex entry to avoid multiple instance, it also\r\ndoes some preliminary preparation by getting admin rights, excludes the executable from defender detection and\r\ndisable the defender as depicted in Figure 7 and 8.\r\nhttps://labs.k7computing.com/index.php/open-source-stealers-oss-python/\r\nPage 4 of 18\n\nFigure 7: Some of the preliminary  functions\r\nFigure 8: Decoded powershell command to disable defender\r\nIf any executable packed while building the malware will be extracted from the data folder and triggered as a\r\nseparate process then it continues the stealing activity.\r\nFigure 9: Bound file execution\r\nVM Protection\r\nIt checks the environment where the sample is being executed by using a list of Blacklisted UUID, computernames,\r\nusernames and tasks as mentioned in the Figure 10 . Also, it does check the registry keys to see the traces of VM as\r\nshown in Figure 11.\r\nhttps://labs.k7computing.com/index.php/open-source-stealers-oss-python/\r\nPage 5 of 18\n\nFigure 10: Blacklist tuple\r\nFigure 11: VM traces on registry key\r\nStealer Functions\r\nOnce it confirms that it is not running under a controlled environment, it will trigger all the stealer functions in\r\nmultithreading to collect the data and send them to the threat actor quickly as highlighted in Figure 12.\r\nFigure 12: Different stealer functions\r\nWe will see some of the stealer functions used in this malware as part of the data exfiltration.\r\nBrowser Data\r\nIt collects data from chromium based browsers as depicted in Figure 13.\r\nhttps://labs.k7computing.com/index.php/open-source-stealers-oss-python/\r\nPage 6 of 18\n\nFigure 13: Browser data exfiltration\r\nAs highlighted in Figure 14, it fetches the password, history, cookie and autofill details by querying the sqlite DB\r\nwhich stores the browser activity on the user’s system.\r\nFigure 14: Querying sqlite DB\r\nDiscord Data\r\nEspecially malware like BlankGabber mainly used to collect the discord information from the victim’s machine. As\r\nshown in the Figure 15, it collects the data from various places and get the discord profile information.\r\nhttps://labs.k7computing.com/index.php/open-source-stealers-oss-python/\r\nPage 7 of 18\n\nFigure 15: Discord user information stealer\r\nTelegram data\r\nIt checks the telegram desktop application on the victim’s machine by traversing through the shortcuts and copies the\r\nkey data file to temp location as shown in Figure 16.\r\nFigure 16: Telegram data stealer\r\nCrypto Wallet data\r\nIt captures the some of the famous crypto wallets stored data from the appdata location and the browser extension\r\nsettings as depicted in Figure 17.\r\nhttps://labs.k7computing.com/index.php/open-source-stealers-oss-python/\r\nPage 8 of 18\n\nFigure 17: Wallet detail stealer\r\nWifi password data\r\nWifi profile and password is being captured by “netsh” tool as shown in Figure 18.\r\nFigure 18: wifi password stealer\r\nScreenshots\r\nStealer takes the screenshot when its being executed and stores them as Display (n).png where n starts with 1 and\r\ngoes on by incrementing by 1, refer Figure 19 and 20.\r\nFigure 19: Encoded powershell command to take screenshot\r\nhttps://labs.k7computing.com/index.php/open-source-stealers-oss-python/\r\nPage 9 of 18\n\nFigure 20: Decoded Powershell command\r\nWebcam capture\r\nIt takes pictures of the user by calling webcam drivers using python “ctypes.windll” and store them .bmp image in\r\nthe temp location as shown in Figure 21.\r\nFigure 21: Snapshots using Webcam\r\nSystem Info \u0026 File stealer\r\nIt gets some basic information and MAC address of the victim’s machine as shown in Figure 22.\r\nhttps://labs.k7computing.com/index.php/open-source-stealers-oss-python/\r\nPage 10 of 18\n\nFigure 22: System Information\r\nMalware steals the files which are having some specific extensions that too from the specific folders at the victim’s\r\nmachine.\r\nFigure 23: File extensions and specific folders\r\nBuild the Malware\r\nThis malware has been live from late 2022 and became more active in the mid of 2023. Though the developer of this\r\nrepo has mentioned in the disclaimer that as its for educational purposes but it has been used in malicious activities. \r\nA person with a little knowledge on Python can customise this stealer, even without a knowledge of Python anybody\r\ncan build the malware because it comes with a Graphical User Interface (GUI) as shown in Figure 24 to ease the\r\nbuilding process.\r\nhttps://labs.k7computing.com/index.php/open-source-stealers-oss-python/\r\nPage 11 of 18\n\nFigure 24: Builder GUI\r\nBuild process initiated by Builder batch file which will trigger gui.py to show the Builder GUI to get input from\r\nthreat actor.\r\nFigure 25: Build files\r\nThe malicious code resides in a components folder named stub.py which replaces “Settings” class variables with the\r\nreceived inputs as shown in Figure 26.\r\nhttps://labs.k7computing.com/index.php/open-source-stealers-oss-python/\r\nPage 12 of 18\n\nFigure 26: Variable mapping\r\nObfuscation\r\nCode has been obfuscated at multiple levels using the BlankOBF.py which compiles the malware code and splits\r\ninto 4 parts. Code in the 0th index is further encoded with codecs and code in the 2nd index gets reversed, then all\r\nthe splitted parts are shuffled and joined as shown in Figure 27.\r\nhttps://labs.k7computing.com/index.php/open-source-stealers-oss-python/\r\nPage 13 of 18\n\nFigure 27: Main Obfuscation Technique\r\nLater obfuscated code added with some junk codes, which are no effect in running the malware which makes the\r\nanalysis harder.\r\nFigure 28: Adding junk code\r\nFinally, after the junk code addition, it gets compiled and archived, then encrypted with AESModeOfOperationGCM\r\nwhich is again the developer of this repo, published with typo-squatting pyaes module in PyPi as shown in Figure\r\n29.\r\nhttps://labs.k7computing.com/index.php/open-source-stealers-oss-python/\r\nPage 14 of 18\n\nFigure 29: “pyaes” package\r\nHide the packer\r\nOnce the executable is created, packer and entry point information will be modified as shown in Figure 30, so that\r\nwhen someone scans this will not be detected as “Pyinstaller” sample(refer Figure 1).\r\nFigure 30: Hiding packer details\r\nSample output\r\nMalware will send all the grabbed information as archived file (refer Figure 32) along with summary to C2 as shown\r\nin Figure 32.\r\nhttps://labs.k7computing.com/index.php/open-source-stealers-oss-python/\r\nPage 15 of 18\n\nFigure 31: File received with Grabbed details\r\nhttps://labs.k7computing.com/index.php/open-source-stealers-oss-python/\r\nPage 16 of 18\n\nFigure 32: Archive file structure with various grabbed information\r\nIndicators of Compromise (IoCs)\r\nHash Detection Name\r\nb1c222dc81a4c1bfe401c1c90d592ad8 Suspicious Program ( ID700026 )\r\nbf552178396e2c988549aed62e1e3221 Suspicious Program ( ID700026 )\r\nURLs\r\nhxxp[://oniwtfxxx.ct8.pl/svhost.exe\r\nhxxp[://kreedcssg3.temp.swtest.ru/vsc.exe\r\nC2 Address\r\nhxxps[://discord.com/api/webhooks/1132809798509940777/vMplDDwRyx_6_5uYKAXG7bHS-mDzPgPXAJPMkjW0mOGRCJHraAdTsRBlguXlivb1DOef\r\nhxxps[://discord.com/api/webhooks/1175476732808155136/yWG3KpQSZDr3w_4pauQKwyHUcFjDeip0NNMvypVQ-rLtb-6Olf6bJH3ZSNvGqPPOGdoA\r\nhttps://labs.k7computing.com/index.php/open-source-stealers-oss-python/\r\nPage 17 of 18\n\nSource: https://labs.k7computing.com/index.php/open-source-stealers-oss-python/\r\nhttps://labs.k7computing.com/index.php/open-source-stealers-oss-python/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://labs.k7computing.com/index.php/open-source-stealers-oss-python/" ], "report_names": [ "open-source-stealers-oss-python" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434676, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e91602657229210155b0fac0bcf70ba4d7c23e2d.pdf", "text": "https://archive.orkl.eu/e91602657229210155b0fac0bcf70ba4d7c23e2d.txt", "img": "https://archive.orkl.eu/e91602657229210155b0fac0bcf70ba4d7c23e2d.jpg" } }