A sophisticated new malware strain, dubbed BoryptGrab, is actively compromising Windows systems by masquerading as legitimate software within a network of deceptive GitHub repositories. This data-stealing operation, active since at least April 2025, leverages search engine optimization tactics to lure unsuspecting users into downloading malicious files, ultimately exfiltrating sensitive browser and cryptocurrency wallet data.
The threat actor has established over a hundred public GitHub repositories designed to appear as official sources for free software, including game cheats, cracked applications, and productivity tools. By employing SEO-optimized keywords in their README files, these fake repositories achieve high search engine rankings, often placed alongside genuine results. Trend Micro analysts identified the BoryptGrab campaign while investigating suspicious ZIP file activity, tracing the infection chain back to these malicious GitHub pages.
BoryptGrab Stealer Campaign Exploits GitHub for Data Theft
The BoryptGrab campaign demonstrates a multi-component operation with various payload variants identified by internal build names such as “Shrek,” “Sonic,” “Yaropolk,” and “CryptoByte,” indicating an organized and continuously developed threat.
The malware is engineered to pilfer a wide array of sensitive information. This includes credentials and cookies from popular browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Brave, and Yandex Browser. Additionally, BoryptGrab targets data from over 30 desktop cryptocurrency wallet applications and browser extensions, encompassing prominent names like Exodus, Electrum, Ledger Live, Atomic, and Trezor Suite.
Beyond browser and financial data, the malware captures screenshots, collects files from Telegram and Discord, steals Discord tokens, gathers common system files, and extracts user information. All compromised data is then archived and silently uploaded to a server controlled by the attacker. A particularly concerning feature of this campaign is the inclusion of TunnesshClient, a backdoor delivered as a PyInstaller executable. This tool establishes a reverse SSH tunnel to the attacker’s server, enabling them to execute remote shell commands, browse and transfer files from the victim’s machine, and utilize the compromised system as a SOCKS5 proxy.
Evidence, including Russian-language comments within the malware’s code and associated IP addresses, strongly suggests the threat actor originates from Russia. This organized approach to malware distribution and data exfiltration highlights a significant and ongoing cyber threat.
Inside the Infection Mechanism of BoryptGrab
The infection process commences when a user downloads a ZIP file from one of the deceptive GitHub-hosted pages. The index.htm file within these pages contains Russian-language comments and redirects the user’s browser to a home.html page. This page is responsible for decoding a hardcoded base64-encoded URL, subsequently forwarding the user to a final, fake download page.
This final page dynamically generates and serves a malicious ZIP file specifically crafted for the victim’s interaction. Upon extraction, the attacker’s dropper can manifest in several ways. A common variant involves a seemingly legitimate executable that loads a malicious libcurl.dll file. This DLL then decrypts an embedded launcher payload using XOR and AES-CBC operations, before contacting the attacker’s server to retrieve the BoryptGrab stealer binary.
In another variant, a VBScript utilizes obfuscated PowerShell commands to download the malware. Crucially, this script also adds exclusions to Windows Defender, an attempt to prevent the installed security software from detecting the malicious files. Once operational, BoryptGrab first assesses its environment for virtual machines by examining registry entries and specific system file paths. This evasion technique aims to prevent execution within security analysis sandboxes.
The malware employs bypass code from public GitHub repositories for Chrome App Bound Encryption, enabling it to extract protected browser credentials. After gathering all accessible data, BoryptGrab packages it into an archive and discreetly transmits it to the attacker.
Users are strongly advised to download software exclusively from verified, official sources and to exercise extreme caution with free tool downloads from untrusted GitHub repositories. Security teams should monitor for unusual scheduled tasks, unexpected changes to Windows Defender exclusion lists, and anomalous outbound network traffic to unknown servers.
Maintaining up-to-date endpoint security tools and diligently verifying software downloads are critical measures to significantly reduce exposure to these malicious campaigns. The continued evolution of such threats necessitates ongoing vigilance and adaptation of security practices.