Connect with us

Hi, what are you looking for?


Malware & Threats

Baldr Stealer Malware Active in the Wild With Ongoing Updates

Stealer malware steals information. Its primary purpose is neither to spread to other computers nor to obtain stealthy persistence on an infected computer. It can be like a smash-and-grab burglar — it grabs what it came for, and that’s it. It steals browser histories, passwords and cookies, and files that may contain sensitive data.

Stealer malware steals information. Its primary purpose is neither to spread to other computers nor to obtain stealthy persistence on an infected computer. It can be like a smash-and-grab burglar — it grabs what it came for, and that’s it. It steals browser histories, passwords and cookies, and files that may contain sensitive data. It’s different from spyware, which seeks stealthy persistence to observe over time.

Generally speaking, stealers don’t need to be sophisticated. They are not normally designed for long-term market presence with the updates and improvements that come with mainstream trojans like Dridex or ransomware like GandCrab. But now there’s a new stealer — Baldr — that looks like it may be around for a while. Baldr first appeared towards the end of 2018, and has been analyzed by Malwarebytes. The researchers comment, “During the short time span of a few months, Baldr has gone through many versions, suggesting that the author is fixing bugs and interested in developing new features.”

Several distribution channels for Baldr have been discovered. The Malwarebytes researchers found it disguised as a tool to generate free bitcoins advertised on YouTube; and have also found it in a drive-by campaign involving the Fallout exploit kit. The threat hunter known as @MisterCh0c tweeted on 31 March, “#baldr stealer spreading through “legit” CS:GO cheat videos”; and on 2 April, “Here’s the original website: hxxp:// Spreading #baldr through all kind of fake $crypto apps.”

Malwarebytes links Baldr to three threat actors: Agressor for distribution (possibly as an affiliate), Overdot for sales and promotion, and LordOdin for development — with the latter two being the primary actors.

What Baldr does is relatively straightforward — there is nothing groundbreaking in its functionality. Where it differs from other stealers, however, is in the complicated implementation of that functionality. “Whether we are talking about its packer usage and payload code structure or even its backend C2 and distribution,” comment the researchers, “the authors spent a lot of time to try and make this a long running campaign.”

Baldr goes through five stages: it profiles the victim computer; it exfiltrates sensitive data; it grabs DOC, DOCX, LOG and TXT files; it may take a screenshot; and it sends the collected data back to its C2 server. With typical ‘smash-and-grab’, it does not attempt to disguise this final exfiltration. Regardless of the size of the network transfer, Baldr has done its job and stolen the data — at this point there is no attempt to disguise its presence.

If the malware hasn’t been discovered before this point, it will certainly be discovered now on any business network. This lack of stealth, lack of persistence, and absence of any spreading mechanism means that in a corporate environment, each employee would need to be manually targeted with a unique attempt.

The Baldr code is heavily obfuscated. Once exposed, however, the researchers were able to examine the payload. This is not easy to analyze, despite being written in an interpreter language (C#). “All functionality is heavily abstracted, encapsulated in wrapper functions and utilize a ton of utility classes,” note the researchers. And then, “Every minute action that this malware performs is executed through a separate thread. This was obviously done to complicate the life of the analyst.” There are more than 100 unique function being called inside of threads throughout the code base; which could become thousands with recursively called threads.

Advertisement. Scroll to continue reading.

The first stage of operation gathers the user profile — cpu type, computer name, user accounts, OS and so on. The gathered data is stored in arrays that are flattened. Baldr then cycles the directories looking for application data such as stored user accounts. After this it looks for txt and doc files. It saves the filenames and stores the content in various arrays. Finally, before network connection and data transmission to the C2, it can take screenshots. Like other stealers, it comes with a panel that provides high level stats to the criminal user.

The researchers describe Baldr as a ‘solid’ stealer that is active in the wild. They point out that its author and distributor are both active on various underground forums to promote and defend the malware; and that it has evolved through numerous versions in just a few months. The implication is that Baldr is here for the long haul; and the criminal demand for stealers is so high that it will likely be used in numerous campaigns going forward.

Related: Malicious RTF Documents Deliver Information Stealers 

Related: “Fauxpersky” Credential Stealer Spreads via USB Drives

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.