Roblox Cheaters Targeted: Skuld Stealer and Blank Grabber Malware Lurks in PyPI Packages

Skuld Stealer & Blank Grabber
Image: Imperva

In a recent report by Imperva Threat Research, malicious actors have been found exploiting the Python Package Index (PyPI) to target players of the popular online game Roblox, specifically those using cheats and mods to gain unfair advantages in gameplay. By injecting malware into these packages, threat actors are taking advantage of gamers’ desire for shortcuts, exposing them to serious cybersecurity risks.

Roblox, a gaming platform with millions of users worldwide, has been a fertile ground for mods, cheats, and external tools that alter the game experience. Popular games like Da Hood, which features a gang subculture environment, attract many players who seek to enhance their performance through third-party cheats. These cheats often promise improved accuracy or gameplay benefits, but they also open the door for malicious activity.

Many players, particularly in competitive environments, install these cheats without a second thought. Unfortunately, this practice has become a lucrative target for cybercriminals, who use platforms like GitHub, Discord, and YouTube to distribute compromised tools. According to Imperva’s findings, this new malware campaign directly targets those seeking Roblox hacks, turning their pursuit of gaming advantage into a personal security nightmare.

Imperva’s investigation uncovered that malicious Python packages had been uploaded to PyPI, masquerading as harmless tools for Roblox Da Hood cheaters. These packages were designed to download Windows binaries that included infamous malware like Skuld Stealer and Blank Grabber — both well-known for their ability to steal sensitive data from compromised systems.

One notable example in this campaign involved a package named pysleek, which downloads a binary called zwerve.exe. Upon further examination, the research team found that the maintainers of the repository hosting zwerve.exe had been routinely adding and removing the file, likely to evade detection by automated security tools. By analyzing the binary, it was confirmed that this malware contained info stealers designed to siphon off login credentials, cookies, credit card details, and cryptocurrency wallet information.

The malicious packages were downloaded thousands of times, indicating that many unsuspecting Roblox players were lured in by the promise of cheats. One repository, Zwerve-External, even provided instructions for disabling antivirus software to ensure the cheats could run uninterrupted, further exposing users to malware infection.

The two primary malware variants found in this campaign, Skuld Stealer and Blank Grabber, are powerful tools in the hands of cybercriminals. Skuld Stealer, written in Go, targets Windows systems and exploits the Windows auto-elevation feature to bypass user account control, giving attackers full access to all user sessions. It can steal a wide range of data, from Discord tokens and 2FA codes to cryptocurrency wallets and browsing history.

Blank Grabber, a malware written in Python and C++, is similar in its capabilities, with a focus on stealing sensitive user information and evading detection. Both of these tools, once deployed on the victim’s machine, ensure persistence by running at startup, enabling continuous monitoring and data theft.

Cybercriminals are increasingly targeting these communities with infected packages, leveraging platforms like PyPI, GitHub, and Discord to distribute malware. As a result, players looking for an advantage in Roblox are finding themselves on the receiving end of cyberattacks.

For more information on Imperva’s findings and additional details on this campaign, visit their official blog.

Related Posts: