BlankGrabber: Splunk detections ready

A browser cookie can work like a stamped hand at a concert: if you have it, the website often lets you back in without asking for your password again. BlankGrabber is built to steal those cookies, along with saved passwords and browser data, so an attacker can walk into accounts that already trust the victim’s machine. (splunk.com) Splunk’s Threat Research team published a new BlankGrabber analysis in late March 2026, and it did more than describe the malware. The team also tied the writeup to ready-made detections in Splunk Security Content so defenders can search for the thief’s footprints instead of writing rules from scratch. (splunk.com) BlankGrabber was first identified in 2023, and Splunk describes it as a Python-based information stealer with a modular design. “Modular” here means the malware is built like snap-on parts, so operators can swap pieces for loading, stealing, and sending data without rebuilding the whole tool. (splunk.com) The delivery methods are ordinary enough to fool people who are not looking for malware. Splunk says BlankGrabber commonly arrives through phishing, cracked software, malicious archives shared on Discord, and fake GitHub utilities that pretend to be legitimate tools. (splunk.com) Once it runs, the malware goes after the places where browsers keep secrets. Splunk’s analytic story says it can collect saved passwords, cookies, autofill data, cryptocurrency wallet information, Discord tokens, and system details from Windows systems. (splunk.com) Splunk’s blog focuses on one trick in the loader, which is the first-stage program that gets the rest of the malware into memory. The researchers describe “certificate decoding” as an illusion used to hide the loader’s real behavior, which helps BlankGrabber keep a low profile and dodge simpler defenses. (splunk.com) The exfiltration step is the handoff, when stolen data leaves the victim’s computer and goes to the attacker. Splunk says BlankGrabber commonly sends that data to attacker-controlled servers through webhooks or encrypted channels, which means defenders often need telemetry from both endpoints and network traffic to catch it cleanly. (splunk.com) The practical part of this release is the detection pack. Splunk’s March 2026 security recap says the team expanded BlankGrabber coverage with detections for browser data access, suspicious registry queries, Windows Management Instrumentation reconnaissance, and PowerShell exclusion tampering used for defense evasion. (splunk.com) One of those detections watches for a process that is not a normal browser touching browser profile data. Splunk’s published logic for “Windows Credential Access From Browser Password Store” is meant to catch the moment a non-browser process reaches into the password vault where Chromium-based browsers store credentials. (splunk.com) Splunk Security Content is now at version 5.25.0, and the BlankGrabber analytic story is already listed there with linked detections and deployment guidance. That turns the research into something a security team can import, tune, and run the same day instead of waiting for a custom engineering cycle. (splunk.com (splunk.com)