BlackGuard – Deadly New Stealer Sold on Russian Underground Forums

Trawling through Russian hacker forums, ThreatLabz researchers have spotted a “sophisticated” new infostealer capable of disabling antivirus protections and capturing data from a wide range of applications. Dubbed BlackGuard, the stealer malware is being advertised to fellow Russian hackers for $200 a month or $700 for a lifetime subscription.

screenshot from Russian hacker forum showing Blackguard on sale.

What’s an Infostealer?

As the name suggests, an infostealer nabs valuable user data, making it a serious security threat to organizations. For example, the LAPSUS$ hacker collective, recently responsible for a series of major data breaches, is suspected to have used infostealers to gain initial access to the networks of at least four global corporations.

What BlackGuard Does

According to Zscaler’s report, BlackGuard can harvest information stored in popular browsers, such as passwords, cookies, autofill data and browsing history. It also targets data relating to messaging apps, including Telegram, Signal, Tox, Element, Pidgin, and Discord.

FTP credentials, email client logins and online account credentials for financial and banking services are also vulnerable. In particular, the malware targets wallet.dat files for cryptocurrency theft purposes. BlackGuard also steals credentials from VPNs such as ProtonVPN, OpenVPN, and NordVPN.

How BlackGuard Works

BlackGuard is written in .NET and while it’s still under active development, it already comes with:

          • Base64 encoding
          • Obfuscation
          • Antibugging
          • A crypto-based packer

Working together, these enable it to bypass antivirus detection and reverse engineering.

The stealer is typically distributed through malicious software disguised as a Windows Update file, a fake MS Office Installer, or computer cleaner software. Once it infects a device, it checks the operating system to kill any processes related to virus or malware detection and sandboxing. It then uses user32!BlockInput() to block all mouse and keyboard inputs to prevent any debugging attempts.

BlackGuard Execution Diagram

Diagram by Jiho Kim | S2W Blog


The malware seems to be deliberately targeting non-CIS (Commonwealth of Independent States) users. First, it checks the IP address to see if the device in a CIS country, such as Russia, Belarus, or Azerbaijan:

          • If the infected user is in a CIS region, it quietly exits the device.
          • If the infostealer detects a non-CIS user, it snatches all the data it can and stores it in the ChikenDir folder. This data is then packaged into an organized .zip file, and sent to a command-and-control (C2) server through the Telegram API.
BlackGuard stealer code  

Once it’s stolen by BlackGuard, the data is usually sold to the highest bidder or used by the threat actor to perform a corporate breach, identity fraud and other types of cybercrime.

A Vibrant Marketplace

BlackGuard operates on the Malware-as-a-Service (MaaS) model in which cybercriminals lease out their software to others looking to carry out malicious activities.

Malware-as-a-Service is a booming business on many hacking forums. Cybercriminals trade in all types of malware and breached information, including trojans, infostealers, exploits, and leaked credentials, making it easier for fellow cybercriminals to carry out attacks.

Protect Yourself

Infostealers are a rising concern as they help bad actors gain initial access to corporate networks.

“While applications of BlackGuard are not as broad as other stealers, BlackGuard is a growing threat as it continues to be improved and is developing a strong reputation in the underground community,” the Zscaler researchers claim.

To defend yourself against BlackGuard and other infostealer malware, it’s recommended you use up-to-date antivirus software with strong sandboxing capabilities. Consider a comprehensive solution like the CyberGhost Security Suite for Windows, which includes world-class anti-malware and antivirus protection to proactively detect sophisticated online threats like BlackGuard.

Here’s the shortlist on what you can do to protect yourself against malware:

    1. Never use the same password and make sure your passwords are strong.
    2. Use multi-factor authentication wherever possible.
    3. Keep your software up to date.
    4. Avoid clicking on unknown links or visiting unfamiliar sites.
    5. Avoid downloading pirated software from torrent websites with poor reputation.
    6. Avoid opening suspicious-looking, unknown files or apps.
    7. Connect to CyberGhost VPN. Our secure, private network and proprietary DNS (domain name system) work together to block out most known sources of malware and viruses.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*