New Windows Stealer "BoryptGrab" Spreads via Fake GitHub Repositories in Large-Scale Campaign
A sophisticated malware campaign is distributing BoryptGrab, a Windows information stealer, through fake GitHub repositories masquerading as free tools, game cheats, and cracked software. The operation, active since at least April 2025, leverages SEO-optimized README files to rank malicious repositories near legitimate projects in search results, tricking users into downloading infected ZIP archives.
How the Attack Works
Attackers have created over 100 public GitHub repositories advertising enticing but fake software, including:
- "Voicemod Pro download tool"
- "Valorant performance boost"
- "CS2 skin changers"
- Cracked utilities and cheat-style tools
Victims are redirected through GitHub-hosted pages containing Russian-language comments and base64/AES-based URL redirection logic, ultimately landing on a fake GitHub download page that dynamically generates a malicious ZIP file.
Infection Chain & Malware Capabilities
Once executed, the malware employs multiple infection vectors:
- DLL side-loading (via a malicious
libcurl.dllthat decrypts an embedded launcher using XOR + AES-CBC). - VBS/PowerShell downloaders that bypass security controls (e.g., adding Microsoft Defender exclusions) and fetch the BoryptGrab stealer from attacker-controlled servers.
- Golang-based downloader (HeaconLoad), which persists via Run-key registry entries and scheduled tasks, beaconing to command-and-control (C2) servers on port 8088.
- TunnesshClient, a PyInstaller-packed backdoor that establishes reverse SSH tunnels, allowing attackers to execute commands, exfiltrate files, or use the victim as a SOCKS5 proxy.
Some variants also deliver obfuscated Vidar stealer payloads via an /api/custom_exe?build={BUILD_NAME} endpoint, using XOR encryption and dynamic API resolution to evade detection.
What BoryptGrab Steals
The C/C++-based stealer includes anti-VM and anti-analysis checks and targets:
- Browser data (Chrome, Edge, Firefox, Opera, Brave, Vivaldi, Yandex, etc.), including stored passwords (bypassing Chrome’s App-Bound Encryption).
- Cryptocurrency wallets (Exodus, Electrum, Ledger Live, Atomic, Binance, Trezor, and dozens more).
- System details, screenshots, Telegram data, and Discord tokens.
- Files with specific extensions (via a "Filegraber" module).
- Installed applications and hardcoded timestamps.
Collected data is compressed and exfiltrated to attacker servers, often followed by the deployment of TunnesshClient for persistent remote access.
Attribution & Infrastructure
- Russian-language comments and log strings in malware components, along with Russian-hosted IP addresses, suggest a Russian-speaking threat actor, though formal attribution remains unconfirmed.
- C2 servers communicate over ports 5466 and 8088, with build names (e.g., Shrek, Leon, CryptoByte, Sonic, Yaropolk) used to track infection branches.
The campaign demonstrates a mature, evolving ecosystem, combining SEO poisoning, multi-stage downloaders, and SSH-based backdoors to maximize persistence and data theft.
Source: https://gbhackers.com/boryptgrab-malware/
The Cyber Ledger cybersecurity rating report: https://www.rankiteo.com/company/thecyberledger
Brave cybersecurity rating report: https://www.rankiteo.com/company/brave-software
Trezor cybersecurity rating report: https://www.rankiteo.com/company/trezor
Mozilla cybersecurity rating report: https://www.rankiteo.com/company/mozilla-corporation
GitHub cybersecurity rating report: https://www.rankiteo.com/company/github
Operation Code cybersecurity rating report: https://www.rankiteo.com/company/operationcode
"id": "THEBRATREMOZGITOPE1773066485",
"linkid": "thecyberledger, brave-software, trezor, mozilla-corporation, github, operationcode",
"type": "Cyber Attack",
"date": "4/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'location': 'Global', 'type': 'Individual users'}],
'attack_vector': ['SEO poisoning',
'Fake GitHub repositories',
'Malicious ZIP archives',
'DLL side-loading',
'VBS/PowerShell downloaders'],
'data_breach': {'data_encryption': ['XOR', 'AES-CBC'],
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Browser data',
'Cryptocurrency wallets',
'Messaging app data',
'System information',
'Files']},
'date_detected': '2025-04',
'description': 'A sophisticated malware campaign is distributing BoryptGrab, '
'a Windows information stealer, through fake GitHub '
'repositories masquerading as free tools, game cheats, and '
'cracked software. The operation leverages SEO-optimized '
'README files to rank malicious repositories near legitimate '
'projects in search results, tricking users into downloading '
'infected ZIP archives.',
'impact': {'data_compromised': ['Browser data (passwords, cookies, autofill)',
'Cryptocurrency wallets',
'Telegram data',
'Discord tokens',
'System details',
'Screenshots',
'Files with specific extensions'],
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': ['Windows systems']},
'initial_access_broker': {'backdoors_established': ['TunnesshClient (reverse '
'SSH tunnels)',
'HeaconLoad (Golang '
'downloader)'],
'entry_point': ['Fake GitHub repositories',
'Malicious ZIP downloads']},
'investigation_status': 'Ongoing',
'motivation': ['Data theft', 'Financial gain', 'Persistent remote access'],
'post_incident_analysis': {'root_causes': ['SEO poisoning',
'Social engineering via fake '
'software',
'Multi-stage malware delivery']},
'references': [{'source': 'Cybersecurity Report'}],
'threat_actor': 'Russian-speaking threat actor (unconfirmed)',
'title': "New Windows Stealer 'BoryptGrab' Spreads via Fake GitHub "
'Repositories in Large-Scale Campaign',
'type': 'Malware Campaign'}