Skip to content

Improved BlackGuard stealer can target 57 crypto wallets

  • by
  • 3 min read

Photo by Morrowind/

The Blackguard stealer has been spotted in the wild again with better capabilities this time around by analysts from AT&T. The malware authors are still actively supporting it by constantly adding features while keeping the subscription cost steady. 

Blackguard was first spotted by Zscaler in March 2022 being sold to cyber criminals for $200 per month on $700 upfront on Russian forums. Since it appeared shortly after the popular Raccoon stealer shut down, its adoption rate and app targeting capabilities were pretty good. 

Hardcoded regex to spot crypto addressed copied on the clipboard. | Source: AT&T

However, this latest version spotted by AT&T analysts adds five new features that make it much more dangerous. First up, its crypto wallet hijacker (clipper) module replaces copied wallet addresses in the clipboard with the attacker’s address in hopes of receiving funds when the user copies and pastes that address to send funds. The clipper also supports a fair number of cryptocurrencies, having hardcoded wallet addresses for Bitcoin, Bitcoin Cash, Dash, Ethereum, Litecoin, Monero, Nectar, Ripple, and Stellar.

It can also use USB sticks to spread itself to other systems, in addition to having the ability to download additional payloads from its C2 server and run them directly in the infected system’s memory using process hollowing, which avoids detection from any antivirus programs installed on the infected machine. 

Downloading and running additional payloads using process hollowing. | Source: AT&T

The last two features are focused on persistence and ensuring the malware is hard to remove. For starters, it can copy itself to every folder in the C:\ drive giving each copy a random name. It can also add itself under the Run registry key, giving it persistence between reboots. The latest variant also goes one step ahead and can steal sensitive information such as Discord tokens and browser cookies and data.

Overall, the Blackguard stealer now targets as many as 57 crypto browser wallets and extensions. For context, when it was first spotted in August 2022 it could only steal data from 47. Some of the targeted extensions include Binance, BitApp, Guildwallet, Metamask, Phantom, Slope Wallet, Starcoin and Ronin while targeted wallets include AtomicWallet, BitcoinCore, DashCore, Electrum, Ethereum, Exodus crypto and LiteCoinCore among others. 

In the News: Novel Android malware can hack 450 financial organisations

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: