BlankGrabber Stealer Uses Fake Certificate Loader to Hide Malware Delivery Chain

A Python-based information stealer known as BlankGrabber has been caught using a deceptive certificate loader trick to hide a multi-stage malware delivery chain.

First identified in 2023, this threat has grown more complex over time and keeps targeting everyday users through widely used online platforms.

BlankGrabber is designed to steal as much sensitive data as possible before being detected. It targets browser credentials, session tokens, saved passwords, clipboard contents, Wi-Fi passwords, cryptocurrency wallet data, screenshots, and webcam snapshots.

Its modular design lets threat actors tailor their attacks, while its fast development cycle has helped it slip past many conventional security tools.

Splunk analysts identified a BlankGrabber loader sample hosted on the Gofile[.]io file-sharing platform, where a closer look revealed that what appeared to be a normal certificate installation script was actually a disguised multi-layer infection mechanism.

The loader misused certutil.exe, a legitimate built-in Windows utility, to decode what looked like certificate data.

In reality, the encoded content held a compiled Rust-based stager, built to decrypt and launch the final malicious payload.

The malware spreads mainly through social engineering and phishing. Attackers push it via fake “cracked” software downloads, malicious archives shared on Discord, and fraudulent GitHub repositories made to look like real utilities.

Once a user runs the file, the infection chain starts quietly in the background, working through several obfuscation layers to stay hidden from security tools.

The damage from a successful BlankGrabber infection can be significant. Victims risk losing access to browser accounts, financial platforms, and personal files. The malware also drops XWorm alongside itself, giving attackers both data theft capability and persistent remote control over the compromised machine.

Deceptive Infection Mechanism and Detection Evasion

The infection begins with a batch file loader that uses certutil.exe to decode what appears to be certificate data.

That encoded content is actually a compiled Rust stager. After executing, the stager runs a series of environment checks, comparing the system’s drivers, usernames, and computer names against a hardcoded list of sandbox identifiers like “Triage,” “Zenbox,” and “Sandbox.” If any of those are found, the malware exits to avoid detection.

When the stager confirms the system is real, it drops a self-extracting RAR archive into the %TEMP% folder.

This archive delivers two malicious files — the XWorm remote access client (host.exe) and the BlankGrabber stealer (Knock.exe).

To blend in, the dropped file gets a random name resembling a legitimate Windows process, such as OneDriveUpdateHelper.exe or SteamService.exe.

The BlankGrabber payload is packed using PyInstaller, converting the original Python script into a standalone executable. Inside the package is an encrypted file called “blank.aes,” which stores the real payload.

A customized AES-GCM algorithm with a hardcoded key and initialization vector decrypts this file at runtime, as seen in.

Once decrypted, a second-stage script named “stub-o.pyc” surfaces, using Base64 encoding, ROT13, and string reversal as extra layers of hiding.

BlankGrabber also disables Windows Defender’s real-time protection and removes antivirus signatures through PowerShell.

It modifies the Windows hosts file to cut off access to security websites by redirecting them to 0.0.0.0. For persistence, it places a copy of its payload in the startup folder, so it runs again after every reboot.

Security teams should watch for certutil.exe being used to decode non-certificate data, WinRAR running outside its default installation folder, PowerShell commands that disable Windows Defender, and unusual DNS queries going to Telegram’s API or known file-sharing services.

Organizations should keep systems fully patched, block access to unapproved file-sharing sites, and enforce strict application allowlisting to reduce exposure to this type of threat.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.