A newly documented BlankGrabber infection chain is using a bogus “certificate” loader to disguise a multi-stage Windows compromise, adding another layer of deception to a commodity stealer already known for targeting browser credentials, crypto wallets and messaging sessions. Security researchers say the campaign abuses certutil. exe, a legitimate Windows utility, to make malicious code appear routine, while later stages rely on Rust, Python and packed archives to stay hidden from static scans and frustrate analysts.

The technique was detailed by Splunk’s Threat Research Team on 27 March and amplified in wider security reporting on 28 March. According to that analysis, the attack begins with a loader hosted on Gofile that appears to decode and install a Windows certificate. Closer inspection showed the embedded data was not a certificate at all, but a compiled Rust executable acting as a stager. That stager decrypts and launches the next payload only after basic checks, a design that helps the malware slip past superficial inspection and blend into normal system activity.

Researchers said the Rust component also looks for signs of sandboxing and virtualised analysis, including suspicious usernames, hostnames and driver artefacts associated with malware labs. If the host appears genuine, it drops a self-extracting RAR archive into the temporary directory using filenames made to resemble ordinary Windows or software-update components, such as RuntimeBroker. exe or MicrosoftEdgeUpdate. exe. In the sample studied by Splunk, that archive contained not only BlankGrabber but also XWorm, a remote-access trojan, giving operators a combination of credential theft and persistent remote control on the same machine.

That pairing matters because it reflects a broader shift in the lower-cost malware economy. BlankGrabber has long been treated as a “commodity” infostealer rather than a bespoke espionage toolkit, but the latest chain shows how off-the-shelf malware is adopting more elaborate delivery mechanisms once associated with higher-end crews. ANY. RUN describes Blank Grabber as an open-source Python stealer with a builder interface that lowers the barrier for entry, while its public GitHub repository openly advertises build steps and the project’s feature set. That mix of accessibility and increasingly layered obfuscation is one reason defenders view such strains as scalable threats rather than mere cybercrime background noise.

Splunk’s breakdown suggests the payload itself remains heavily obfuscated even after the Rust stage succeeds. A PyInstaller-packed executable contains an encrypted blob named blank. aes, which researchers said is decrypted at runtime using a customised routine to recover another ZIP archive. That archive then reveals a further Python stub encoded through several techniques, including compression, Base64, ROT13 and string reversal, before the final operational stealer is restored. The result is a chain designed not simply to infect a machine, but to slow down reverse engineering at each stage and reduce the chances of a clean signature-based detection.

Once active, the malware casts a wide net. Splunk and ANY. RUN say BlankGrabber targets Chromium and Firefox data stores to collect passwords, cookies, browsing history and autofill records. It also seeks crypto-wallet information and session or token data tied to services such as Telegram and Discord. The analysed code further showed reconnaissance routines that query antivirus products through WMI, profile the host’s network using ip-api. com, harvest saved Wi-Fi credentials with netsh, and capture webcam snapshots to distinguish real users from lab systems while adding to the victim dossier.

The exfiltration method is another reason analysts are paying attention. Splunk said the malware contains an encoded Telegram bot command-and-control identifier and can also upload stolen material to public web services, a tactic that lets operators hide traffic within services that many organisations do not immediately block. The stealer bundles a legitimate rar. exe utility to compress loot into an archive, with the examined sample using the password “Blank123” before sending data outward. Using trusted binaries and public platforms does not make the traffic invisible, but it can make malicious activity harder to distinguish from ordinary internet use at first glance.

For defenders, the report does not suggest an unstoppable threat so much as a noisier one wearing a cleaner disguise. Splunk has already published hunting guidance tied to Telegram API queries from non-Telegram processes, unexpected access to IP-check services, suspicious WinRAR execution outside standard directories, and product-key or browser-store access patterns linked to data theft. The campaign also leans on behaviours that security teams can still flag, including certutil misuse, Windows Defender exclusion changes, UAC-bypass registry activity and unusual files dropped into temporary folders under names that mimic familiar software.