BlankGrabber’s operators are now abusing a fake “certificate” loader to hide a multi‑stage Rust and Python infection chain, making this commodity stealer significantly harder to spot on Windows endpoints.
The new technique relies on built‑in tools such as certutil.exe, heavily obfuscated PyInstaller stubs, and stealthy exfiltration via Telegram and public web services to evade both static and behavioral detection.
At first glance, the script decodes data and passes it to certutil.exe to install what appears to be a Windows certificate.
Deeper analysis shows the encoded blob is not a certificate at all but a compiled Rust executable acting as a stager, responsible for decrypting and launching the real payload.
According to Splunk’s Threat Research Team (STRT), recent BlankGrabber campaigns start with a batch script hosted on the Gofile.]io file‑sharing service.
The Rust stager adds another obfuscation layer by masquerading as certificate data and only revealing the next stage in memory.
It also performs anti‑sandbox checks by looking for tell‑tale drivers, usernames, and computer names such as “Triage”, “Sandbox”, “Malware”, or “Zenbox” to avoid detonating in automated analysis environments.
Once satisfied it is on a real victim system, it decrypts and drops a self‑extracting RAR (SFX) archive into %TEMP% using one of several benign‑looking filenames like OneDriveUpdateHelper.exe, RuntimeBroker.exe, or MicrosoftEdgeUpdate.exe.
XWorm + BlankGrabber in a single SFX
The SFX archive contains multiple components, notably an XWorm remote‑access client (host.exe) and a PyInstaller‑packed BlankGrabber stealer (Knock.exe), enabling both remote control and large‑scale data theft on the same host.
Packaging these tools together helps attackers move laterally, persist, and exfiltrate data in one operation.
BlankGrabber itself, originally released as an open‑source Python infostealer, is built via a GUI builder that wraps Python code, third‑party libraries, and embedded tools into a single executable.
STRT’s analysis shows the PyInstaller bundle hides an encrypted data blob named “blank.aes”, which is decrypted at runtime using a customized AES routine to reconstruct the next stage ZIP archive.
That archive contains another heavily obfuscated Python stub that uses zlib compression plus Base64, ROT13, and string reversal to layer the loader logic before finally restoring the operational BlankGrabber stub.
Once fully unpacked, BlankGrabber performs extensive environment checks to spot virtual machines, fake networking, and security tooling by inspecting UUIDs, adapter vendors, and making connections to random domains to test for simulated internet responses.
It then profiles the victim using commands such as systeminfo, getmac, WMI queries (e.g., Win32_ShortcutFile, AntivirusProduct, csproduct), and webcam capture, and it enumerates saved Wi‑Fi profiles to extract cleartext WLAN keys via netsh.
For data theft, the stealer parses Chromium and Firefox databases to dump passwords, cookies, history, and autofill data, scrapes crypto‑wallet extensions, and targets platforms such as Telegram, Discord, Steam, Epic Games, Roblox, and Minecraft.
It also harvests clipboard text, takes .NET‑based screenshots via PowerShell, collects document and credential file types, and archives everything using an embedded rar.exe utility protected with the password “Blank123”.
Exfiltration relies on a combination of Telegram bots and abused web services, including IP lookup APIs like ip-api[.]com and popular file‑sharing or paste platforms.
Persistence and Splunk detections
BlankGrabber aggressively tampers with the host to stay hidden, blocking AV and security sites by editing the Windows hosts file, disabling multiple Windows Defender protections via PowerShell (including real‑time monitoring and cloud‑delivered protection), and adding its working directory to Defender exclusions.
It then uses a registry‑based UAC bypass to re‑launch itself with elevated privileges and installs copies of its payload into startup folders for persistence across reboots.
To support defenders, Splunk provides multiple analytics to catch this behavior, including detections for Windows product key registry access, DNS queries to Telegram’s API, IP‑check services such as ip-api[.]com.
WinRAR/rar.exe running outside standard paths, suspicious hosts file access, WMI reconnaissance, and DNS lookups to abused web services like gofile.io and cdn.discordapp.com.
Combined with threat hunting focused on certutil‑backed “certificate” installs that actually deploy Rust binaries, these detections help Security Operations Center teams surface BlankGrabber’s fake‑certificate loader and its downstream stealer activity before large volumes of credentials and tokens are exfiltrated.
IOCs
| SHA256 | description |
|---|---|
| 268d12a71b7680e97a4223183a98b565cc73bbe2ab99dfe2140960cc6be0fc87 | BlankGrabber |
| ac36b970704881c7656e8fdd7e8c532e22896b97a47acef5ca624d7701bf991 | Batch loader |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
