article featured image


Cybersecurity researchers found a brand-new high-profile malware tracked as BluStealer that can steal cryptocurrency and banking information, log keystrokes, and upload files. According to specialists, the malware is distributed by threat actors through malicious email attachments.

The malware was first noticed by a cybersec specialist in May 2021 and referred to as a310logger.

BluStealer is able to steal credentials such as names, passwords, or email addresses saved in browsers, cookies, and apps stored in Chrome and Firefox browsers.

According to Avast, this malware is created to steal crypto including Bitcoin, Ethereum, Monero, and Litecoin from popular wallets including ArmoryDB, Bytecoin, Jaxx Liberty, Exodus, Electrum, Atomic, Guarda, and Coinomi.

How Does It Work?

BluStealer is mainly delivered via malspam and consists of a core code written in Visual Basic and the inner payloads written in C# .NET. Both these components are different among the samples Avast found, indicating that the malware’s builder is able to customize each element individually.

The VB core used a large amount of the code from the SpyEx project (found in 2004) more than once, therefore SpyEx strings were discovered in the early samples from May.

Nevertheless, BluStealer developers created the malware for crypto wallet data theft, crypto addresses in the clipboard exchange, document files detection, and uploading. BluStealer can also exfiltrate data via SMTP, use Telegram Bot API, as well as anti-analysis/anti-VM techniques.

On the other hand, the .NET component is for the most part a credential stealer built from a fusion of open-source C# hack tools dubbed ThunderFox, ChromeRecovery, firepwd, and StormKitty. Researchers noted that all the features are available in a single sample.

In addition, this .NET Loader has been employed by malware families such as Snake Keylogger, Formbook, RedLine, Agent Tesla, Oski Stealer, as well as BluStealer.

How Do You Get Infected with BluStealer Malware?

As we said before, cybercriminals deliver this malware via malspam operations. The spam emails contain links to Discord’s Content Delivery Network (cdn.discord.com.).

Researchers discovered two BluStealer malspam samples. The first one poses as a false English DHL invoice, while the second is a fake notification allegedly coming from the Mexican metal organization General de Perfiles.

The two samples included .iso attachments, as well as download URLs. The received messages urged the victims to immediately open and fill out their details in order to fix the problem. The attachments include the malware executables loaded with .NET Loader.

It is essential to stay alert when it comes to BluStealer malware. The virus uses authentic services in order to avoid exposure and make detection harder for companies. It can become a serious threat for security departments all over the world.

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.