Baldr or how to get pwned for cheating on fortnite

Hi everyone,

Do you know Baldr? No ? Let me rephrase my question. Do you cheat on games like Counter Strike, Apex Legends, PUBG or in a nutshell on any other popular games ?

If the answer is yes, well, you have to consider your house being the next target of the Area 51 facebook storm group because it’s due to people of your kind that I just can’t manage to get Prestige 70 on Cole Off Douty Modern Advanced Warfare 3 !!

Well, more seriously, you have to know that some quacks have managed to make profit of cheaters by making a botnet essentially composed of… cheaters !

1 °) The infection

To spread their virus, the Baldr team has decided to make quite credible videos to cheat on a whole bunch of games, the whole uploaded on our beloved Youtube. You know, this same Youtube that did the “spring-cleaning” recently by deleting a whole bunch of hacking related videos. Irony of fate or real stroke of genius, their videos are still online on YouTube even after this so-called and so contested cleansing. Since they don’t do things in half, they also advertised their videos on Discord mainly to attract cheaters gamers.

These videos are posted from several accounts and they all have a link in the description. The link leads to an archive, which once unzipped and injected into the game’s files, can actually permit to cheat on the game, either by shooting faster or by seeing the enemies through the walls.

Well, that was the funny part or as I like to call it “the immersed part of the iceberg”. Let’s now see the submerged one, namely the less fun part.

2 °) The submerged part of the iceberg

Not expensive at all 🤠

Yes, as you see, Baldr steals all the passwords on the computer, including passwords that has been stored by the browser or by any other applications (such as Discord or FileZilla for instance) and then send them to the hacker who will eventually sell every account for a few dollars on the Dark Net.

and it's not over
And it’s not over !

Baldr turns also your PC into a well-docile zombie that will attack other computers with your Internet connection ! Oh, I see the crowd starting to make a fuss ! Unfortunately, this is still the best case, because your beloved Internet connection can also be rented, at prices that would get sick any Internet Service Provider, as an anonymous proxy or even worse, as a tor hidden service.

Oh I almost forgot the classic and the inevitable cryptocurrency mining !! Yeah, because even CPU usage is profitable to Baldr.

3 °) The origins

So where does this evil beast come from? At first sight, it seems that Baldr was sold for the first time on underground forums hosted in Russia.

But, is Baldr really the sordid invention of Russian pirates? That’s another question.

Some cool stats 🤠

Indeed, when we sit down and look for ten seconds the statistics of infections, we realize that Indonesia won the race with 21.85% against 14.14% for Brazil and it is only at the third place that Russia appears with *only* 13.68%.

Moreover, the code does not contain any sign of Cyrillic characters, everything is coded in a perfect English. There are also many similarities with other abominations of that kind like Azorult or GrandStealer because we can even talk about copy-paste

Left: Azorult NetscapeToJSON cookie converter function, Right: Baldr NetscapeToJSON cookie converter function 🤠

And here is the icing on the cake: the software vendors has sent a note the May 31st to all customers in which they explain that the developer decided to stop the project. But rather than maintain themselves the software, these gentlemen kindly call their customers (mainly Russian by the way) to look for a replacement.

The mysterious note from Baldr vendors

4 °) What is Baldr concretely?

For me, Baldr belongs to a well-defined category of malware that I like to define with the following definition:

threat.exe: (mass name) Malware targeting *only* Windows, which is not very sophisticated but is still massively spreaded / used, thanks to “cyberkiddos” on «««hackers»»» forums (please note the quotation marks)

Yes, I’m about to break a myth, when we search a little bit on this kind of threat we generally reach the moment when we listen to a tutorial on how to build a genuine Russian botnet. The fact is, I quickly realized that the most of the time, the person talking is quite rarely more than 14 years old and tends to make videos on Roblox with all of its friends on its YouTube channel.

Run for your lives !!! Here is the new generation of cybercriminals !!!! 🤠

5 °) How to protect yourself + How to know if you are infected?

Most of the time, when I’m dealing with these “threats.exe” many peoples tell me that I actually didn’t say how to protect ourselves or at least how to detect the infection. I’ll use this post to answer once and for all:


I know, this is not the expected answer coming from a cybersecurity professional but this is the sad trust. Windows is a real colander, Windows 10 may be a more modern collander but a still a collander bloated and bugged as heck.

the same ones speak for themselves
memes talk by themselves 🤠

Security is a completely ABSENT concept on Windows, updates are a real clusterfuck, there is still a lot of Windows perfectly updated which are still prone to be exploited to vulnerabilities patched for ages #Eternalblue .

The very concept of antivirus, is a real aberration! If a system is well done, it is well done, that’s all. There is no need to fill any gap in its security.

Finally, I don’t know for you, but when I buy a tire for example, I don’t have to buy a coating to seal any hole on the tire ? Or I’ve been definitely fooled by a quack !

That was for the protection, the detection now! On Windows, you may not know it, but when you simply “listen”, with no open program, what your Windows sends on the Internet, you end up with this after only 30 seconds:


This is a network capture made with Wireshark, an open source software. We can see on this frame capture that all in pale green or dark gray is all the communications your Windows has established with Microsoft telemetry servers.

On paper, telemetry allows Microsoft to know how you use your Windows. Of course, you are supposed to know what it is because during the installation of Windows, Microsoft actually asked your permission, but it’s absolutely normal that you have accepted because if you had refused, the installation would be aborted.

Microsoft simply violates your privacy with your permission.

Establishing a system that would filter all transmissions and that would drop suspicious transmissions (so, as a firewall) is simply impossible on Windows, it’s for this reason that no antivirus vendor has ever tried the maneuver. This is also why we never put firewalls on Windows clients, otherwise they don’t connect to Internet.


All of this to say once and for all that if you’re tired of your computer being abused by 13 year-olded kids or web giants, you can simply look for the alternative that suits your needs. I could also make it the subject of a future article if it interest you.

Voilà, I hope you like this article. Do not hesitate to share it with your friends or colleagues!

Don’t forget to be happy, it’s the most important and see you soon!