BlankGrabber
BlankGrabber is a Python-based information stealer first identified in 2023 that targets Windows systems. It is commonly packaged with PyInstaller and uses layered obfuscation and multi-stage delivery to evade analysis, including an encrypted payload file named blank.aes, runtime AES-GCM decryption, and additional encoded Python stages such as stub-o.pyc using Base64, ROT13, string reversal, and zlib-compressed content. Reporting cited in the content attributes analysis to Splunk Threat Research Team.
The malware is distributed through social engineering and commodity malware channels, including fake cracked software, malicious archives shared on Discord, fraudulent GitHub repositories, phishing, and at least one observed Gofile.io-hosted batch script. In the described attack chain, a batch loader abuses certutil.exe in a fake certificate installation workflow to decode a Rust-based stager. That stager performs anti-sandbox checks, then decrypts and launches a self-extracting archive that delivers BlankGrabber together with XWorm. The broader campaign is described as abusing counterfeit certificate-themed lures to conceal Rust- and Python-based stages.
BlankGrabber performs anti-analysis and victim triage by checking for virtual machines, debugger or sandbox indicators, security tools, MAC addresses, WMI hardware strings, adapter registry names, usernames, computer names, UUIDs, and cloud-hosting indicators such as ip-api.com hosting fields. The content notes expanded blacklists of UUIDs, computer names, and account names associated with sandbox farms.
Its theft capabilities include collecting data from Chromium and Firefox browsers, including credentials, saved passwords, cookies, session tokens, and autofill information; enumerating saved Wi-Fi profiles and stealing Wi-Fi passwords; harvesting clipboard contents; taking screenshots and webcam snapshots; and stealing cryptocurrency wallet data, including wallet extensions and directories associated with Exodus, AtomicWallet, Coinomi, and Electrum. It also targets Telegram Desktop data, Discord tokens, and data associated with Telegram, Roblox, Discord, Steam, and browser-stored wallet extensions.
BlankGrabber also tampers with host defenses and maintains persistence. The content states it disables multiple Windows Defender protections, including via PowerShell, removes antivirus signatures, modifies the Windows hosts file to redirect security websites to 0.0.0.0, uses a registry-based UAC bypass to relaunch with elevated privileges, and establishes persistence via Registry Run Keys and by copying itself into the Windows startup folder.
Exfiltration in this malware family is described as commonly occurring via Telegram Bot API or HTTP POST, including api.telegram.org endpoints such as sendDocument and sendMessage. The content also notes that Telegram bot tokens and C2 strings can often be recovered from process memory after runtime decryption. Overall, BlankGrabber is characterized in the source material as a mass-produced infostealer rather than an APT-grade tool, notable for broad credential and data theft, low barrier to entry, and widespread distribution.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Initial Access
1 technique
Initial Access
Execution
3 techniques
Execution
BlankGrabber also disables Windows Defender’s real-time protection and removes antivirus signatures through PowerShell.
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
6 techniques
Stealth
С точки зрения MITRE ATT&CK, Python-стилеры реализуют характерный набор техник: Obfuscated Files or Information ( T1027 ... ) - многослойная обфускация кода и шифрование payload
Windows systems have been more stealthily compromised by the BlankGrabber malware through the exploitation of a counterfeit certificate holder for multi-stage Rust and Python attack chain concealment.
...conducts anti-sandbox checks before decrypting and deploying a self-extracting SFX archive that contains XWorm and the BlankGrabber stealer...
The loader misused certutil.exe, a legitimate built-in Windows utility, to decode what looked like certificate data.
Credential Access
2 techniques
Credential Access
Discovery
4 techniques
Discovery
...BlankGrabber proceeds to leverage multiple commands for victim profiling...
Collection
4 techniques
Collection
It targets browser credentials, session tokens, saved passwords, clipboard contents, Wi-Fi passwords, cryptocurrency wallet data, screenshots
It targets browser credentials, session tokens, saved passwords, clipboard contents
Impact
1 technique
Impact
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Python-based infostealer packaged with PyInstaller. It steals browser passwords, Discord tokens, cryptocurrency wallets, cookies, and screenshots, then exfiltrates data via Telegram Bot API or HTTP POST. The content describes multilayer obfuscation, including AES-GCM-encrypted payloads, anti-sandbox checks, and persistence via Registry Run Keys.
BlankGrabber is an infostealer used in a multi-stage Rust and Python attack chain. It performs anti-analysis checks, profiles victims, enumerates saved Wi-Fi profiles, steals credentials and autofill data from Firefox and Chromium databases, targets cryptocurrency wallet extensions and applications such as Telegram, Roblox, Discord, and Steam, and disables Windows Defender protections while using a registry-based UAC bypass for privilege escalation and persistence.
Python-based information stealer with a modular, multi-stage delivery chain. It steals browser credentials, session tokens, saved passwords, clipboard contents, Wi-Fi passwords, cryptocurrency wallet data, screenshots, and webcam snapshots; it also disables Windows Defender protections, modifies the hosts file, and establishes persistence via the startup folder.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.