A new data-stealing malware called BoryptGrab has been quietly spreading across Windows systems through a network of fake GitHub repositories, tricking users into downloading what appear to be popular free software tools.
The campaign, which has been active since at least April 2025, uses search engine manipulation to make these malicious repositories look legitimate, luring unsuspecting victims into a carefully constructed infection chain that ends with sensitive data being silently sent to the attacker.
The threat actor set up over a hundred public GitHub repositories, each masquerading as a free download page for various tools such as game cheats, cracked software, and productivity applications.
These repositories use SEO-optimized keywords in their README files to rank near the top of search engine results, often appearing right alongside legitimate results.
Once a user clicks a download link within one of these pages, they are passed through a series of redirections — including base64-encoded and AES-encrypted URLs — before ultimately landing on a fake download page that generates and delivers a malicious ZIP file.
Trend Micro analysts identified the BoryptGrab campaign while tracing suspicious ZIP files circulating in the wild, and were able to map the full infection chain back to these GitHub-hosted pages.
Their investigation revealed not just a single stealer, but a broader multi-component operation running across different payload variants, each tagged with internal build names such as “Shrek,” “Sonic,” “Yaropolk,” and “CryptoByte” — pointing to an organized and actively maintained threat.
BoryptGrab is built to harvest a wide range of sensitive data. It collects credentials and cookies from multiple browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Brave, and Yandex Browser.
It also targets over 30 desktop cryptocurrency wallet applications and browser-based wallet extensions, including Exodus, Electrum, Ledger Live, Atomic, and Trezor Suite.
Beyond that, it captures screenshots, collects Telegram files, Discord tokens, common system files, and user information, then archives and quietly uploads everything to an attacker-controlled server.
A particularly concerning addition to this campaign is TunnesshClient, a backdoor delivered as a PyInstaller executable that builds a reverse SSH tunnel to the attacker’s server.
Through this tunnel, the attacker can execute remote shell commands, browse and transfer files from the victim’s machine, and use the compromised system as a SOCKS5 proxy.
The presence of Russian-language comments throughout the malware’s code and IP addresses associated with Russia suggest the threat actor likely operates from there.
Inside the Infection Mechanism
The infection begins when a victim downloads a ZIP file from one of the fake GitHub-hosted pages.
The page’s index.htm file carries Russian-language comments and redirects the browser to a home.html page, which decodes a hardcoded base64-encoded URL and forwards the user to a final fake download page.
.webp)
That page dynamically generates and serves the malicious ZIP file tailored to the victim’s visit. Inside the ZIP file, the attacker’s dropper can take one of several forms.
In one common variant, a legitimate-looking executable side-loads a malicious libcurl.dll file, which decrypts an embedded launcher payload using XOR and AES-CBC operations before reaching out to the attacker’s server to fetch the BoryptGrab stealer binary.
.webp)
In another variant, a VBS script uses obfuscated PowerShell commands to download the payload while also adding Windows Defender exclusions to prevent the installed security software from detecting the malicious files.
Once running, BoryptGrab first checks for virtual machine environments by scanning registry entries and specific system file paths, allowing it to avoid triggering inside security analysis sandboxes.
.webp)
It uses Chrome App Bound Encryption bypass code, which was sourced from public GitHub repositories, to extract protected browser credentials. After collecting all the data it can reach, it packages everything into an archive and quietly sends it upstream to the attacker.
Users should only download software from verified, official sources and avoid free tool downloads from unknown GitHub repositories. Security teams should watch for unexpected scheduled tasks, sudden Windows Defender exclusion changes, and unusual outbound traffic to unknown servers.
Ensuring that endpoint security tools are kept current and that software downloads are verified will significantly reduce exposure to campaigns of this nature.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
