BlankGrabber
BlankGrabber is a Python-based information stealer first identified in 2023 that targets Windows systems.
Profile source: Mallory opens in a new tabBlankGrabber
Family profile
BlankGrabber is a Python-based information stealer first identified in 2023 that targets Windows systems. It is commonly packaged with PyInstaller and uses layered obfuscation and multi-stage delivery to evade analysis, including an encrypted payload file named blank.aes, runtime AES-GCM decryption, and additional encoded Python stages such as stub-o.pyc using Base64, ROT13, string reversal, and zlib-compressed content. Reporting cited in the content attributes analysis to Splunk Threat Research Team.
The malware is distributed through social engineering and commodity malware channels, including fake cracked software, malicious archives shared on Discord, fraudulent GitHub repositories, phishing, and at least one observed Gofile.io-hosted batch script. In the described attack chain, a batch loader abuses certutil.exe in a fake certificate installation workflow to decode a Rust-based stager. That stager performs anti-sandbox checks, then decrypts and launches a self-extracting archive that delivers BlankGrabber together with XWorm. The broader campaign is described as abusing counterfeit certificate-themed lures to conceal Rust- and Python-based stages.
BlankGrabber performs anti-analysis and victim triage by checking for virtual machines, debugger or sandbox indicators, security tools, MAC addresses, WMI hardware strings, adapter registry names, usernames, computer names, UUIDs, and cloud-hosting indicators such as ip-api.com hosting fields. The content notes expanded blacklists of UUIDs, computer names, and account names associated with sandbox farms.
Its theft capabilities include collecting data from Chromium and Firefox browsers, including credentials, saved passwords, cookies, session tokens, and autofill information; enumerating saved Wi-Fi profiles and stealing Wi-Fi passwords; harvesting clipboard contents; taking screenshots and webcam snapshots; and stealing cryptocurrency wallet data, including wallet extensions and directories associated with Exodus, AtomicWallet, Coinomi, and Electrum. It also targets Telegram Desktop data, Discord tokens, and data associated with Telegram, Roblox, Discord, Steam, and browser-stored wallet extensions.
BlankGrabber also tampers with host defenses and maintains persistence. The content states it disables multiple Windows Defender protections, including via PowerShell, removes antivirus signatures, modifies the Windows hosts file to redirect security websites to 0.0.0.0, uses a registry-based UAC bypass to relaunch with elevated privileges, and establishes persistence via Registry Run Keys and by copying itself into the Windows startup folder.
Exfiltration in this malware family is described as commonly occurring via Telegram Bot API or HTTP POST, including api.telegram.org endpoints such as sendDocument and sendMessage. The content also notes that Telegram bot tokens and C2 strings can often be recovered from process memory after runtime decryption. Overall, BlankGrabber is characterized in the source material as a mass-produced infostealer rather than an APT-grade tool, notable for broad credential and data theft, low barrier to entry, and widespread distribution.
MITRE ATT&CK
BlankGrabber in ATT&CK
24 distinct techniquesReporting
Research mentioning BlankGrabber
Анализ вредоносного ПО на Python - от бинаря до C2
Растущая доля этого потока - Python-based стилеры, упакованные через PyInstaller: BlankGrabber, XillenStealer и десятки их форков... Разбор BlankGrabber от Splunk Threat Research Team показывает типичную архитектуру...
Clandestine BlankGrabber malware examined | brief | SC Media
Windows systems have been more stealthily compromised by the BlankGrabber malware through the exploitation of a counterfeit certificate holder for multi-stage Rust and Python attack chain concealment... After identifying virtual machines and security systems, BlankGrabber proceeds to leverage multiple commands for victim profiling, as well as enumerate saved Wi-Fi profiles before scouring Firefox and Chromium databases to compromise credentials, autofill information, and cryptocurrency wallet extensions, as well as target Telegram, Roblox, Discord, and Steam.
BlankGrabber Stealer Uses Fake Certificate Loader to Hide Malware Delivery Chain
A Python-based information stealer known as BlankGrabber has been caught using a deceptive certificate loader trick to hide a multi-stage malware delivery chain. First identified in 2023... BlankGrabber is designed to steal as much sensitive data as possible before being detected.