BoryptGrab Stealer Exploits Fake GitHub Repositories to Harvest Sensitive Data
A new data-stealing malware, BoryptGrab, has been actively infiltrating Windows systems by leveraging counterfeit GitHub repositories. This campaign, operational since at least April 2025, deceives users into downloading seemingly legitimate free software tools, leading to the unauthorized extraction of sensitive information.
Deceptive Distribution via GitHub
The perpetrators have established over a hundred public GitHub repositories, each masquerading as a source for free downloads of various tools, including game cheats, cracked software, and productivity applications. These repositories are meticulously crafted with SEO-optimized keywords in their README files, ensuring high visibility in search engine results and often appearing alongside genuine resources.
Upon clicking a download link within these repositories, users are subjected to a series of redirections involving base64-encoded and AES-encrypted URLs. This complex redirection chain ultimately leads to a counterfeit download page that generates and delivers a malicious ZIP file to the unsuspecting user.
Discovery and Analysis
Trend Micro analysts identified the BoryptGrab campaign while investigating suspicious ZIP files circulating online. Their research traced the full infection chain back to these GitHub-hosted pages, revealing a sophisticated multi-component operation. The malware variants, internally referred to as Shrek, Sonic, Yaropolk, and CryptoByte, indicate an organized and actively maintained threat.
Comprehensive Data Harvesting
BoryptGrab is engineered to collect a wide array of sensitive data:
– Browser Credentials and Cookies: Targets multiple browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Brave, and Yandex Browser.
– Cryptocurrency Wallets: Aims at over 30 desktop cryptocurrency wallet applications and browser-based wallet extensions, such as Exodus, Electrum, Ledger Live, Atomic, and Trezor Suite.
– Additional Data: Captures screenshots, Telegram files, Discord tokens, common system files, and user information.
The collected data is archived and discreetly uploaded to a server controlled by the attackers.
Advanced Backdoor Capabilities
A notable aspect of this campaign is the inclusion of TunnesshClient, a backdoor delivered as a PyInstaller executable. This component establishes a reverse SSH tunnel to the attacker’s server, enabling remote execution of shell commands, file browsing and transfer from the victim’s machine, and utilization of the compromised system as a SOCKS5 proxy.
Infection Mechanism
The infection process initiates when a victim downloads a ZIP file from one of the fraudulent GitHub-hosted pages. The index.htm file within the ZIP contains Russian-language comments and redirects the browser to a home.html page, which decodes a hardcoded base64-encoded URL and forwards the user to a final fake download page.
This final page dynamically generates and serves the malicious ZIP file tailored to the victim’s visit. Inside the ZIP file, the attacker’s dropper can take various forms. In one common variant, a legitimate-looking executable side-loads a malicious libcurl.dll file, which decrypts an embedded launcher payload using XOR and AES-CBC operations before reaching out to the attacker’s server to fetch the BoryptGrab stealer binary.
Indicators of Russian Origin
The presence of Russian-language comments throughout the malware’s code and IP addresses associated with Russia suggest that the threat actor likely operates from that region.
Mitigation Strategies
To protect against such sophisticated threats, users and organizations should adopt the following measures:
– Verify Software Sources: Always download software from official and reputable sources.
– Exercise Caution with Free Tools: Be wary of free software offerings, especially those related to game cheats or cracked applications, as they are common vectors for malware distribution.
– Implement Robust Security Solutions: Utilize comprehensive security software capable of detecting and blocking malicious activities.
– Regular System Monitoring: Conduct periodic system scans and monitor for unusual activities or unauthorized data access.
– Educate Users: Provide training on recognizing phishing attempts and the risks associated with downloading software from unverified sources.
By remaining vigilant and implementing these strategies, individuals and organizations can significantly reduce the risk of falling victim to malware campaigns like BoryptGrab.
