Security researchers have identified a new information-stealing malware family named BoryptGrab, which targets Windows users through malicious GitHub repositories and deceptive download pages. The campaign abuses the trust users place in legitimate development platforms, particularly GitHub, by distributing malware disguised as free software tools.
The attackers leverage search engine optimization (SEO) techniques and publicly accessible repositories to lure victims into downloading ZIP archives that contain the malware. Once executed, BoryptGrab is capable of harvesting sensitive data from infected systems and delivering additional payloads, including a reverse SSH backdoor.
The operation appears to be large-scale and actively maintained, with multiple malware builds and infrastructure linked to the campaign.
Campaign Distribution Strategy
Abuse of GitHub Repositories
The campaign relies heavily on public GitHub repositories that impersonate legitimate software tools. Attackers create repositories claiming to offer free versions of popular utilities or gaming tools.
These repositories often contain:
- README files filled with SEO-optimized keywords
- Links to fake download pages
- ZIP archives containing the malicious payload
Because of SEO manipulation, these repositories can appear high in search engine results, sometimes directly below legitimate software pages.
For example, a repository impersonating a Voicemod Pro download tool was found ranking just below the legitimate result in search queries.
Infection Chain
The attack begins when a user downloads and extracts a ZIP archive from one of the malicious repositories.
Typical attack flow:
- User searches for free software or game tools
- A malicious GitHub repository appears in search results
- The user downloads a ZIP archive from a deceptive download page
- The contained executable launches the BoryptGrab stealer
- Additional payloads may be downloaded and executed
This multi-stage approach enables attackers to maintain flexibility in payload delivery and update malware components dynamically.
BoryptGrab Malware Capabilities
The BoryptGrab stealer is designed to harvest a wide range of sensitive information from compromised systems. Its capabilities include:
Credential and Browser Data Theft
The malware extracts stored data from browsers, including:
- Saved credentials
- Autofill data
- Browser session information
Cryptocurrency Wallet Data
BoryptGrab also targets cryptocurrency wallets, enabling attackers to steal digital assets stored locally.
Messaging and Platform Tokens
The stealer collects authentication tokens and related information from:
- Telegram
- Discord
These tokens can be reused by attackers to hijack user accounts.
System and File Collection
Additional information gathered includes:
- System configuration details
- Commonly stored files
- Screenshots of the infected system
The breadth of collected information suggests the malware is designed for data exfiltration and credential harvesting at scale.
Secondary Payload: TunnesshClient Backdoor
Some BoryptGrab variants deploy an additional payload named TunnesshClient, a backdoor compiled using PyInstaller.
This component establishes a reverse Secure Shell (SSH) tunnel that allows attackers to maintain remote access to compromised systems.
Key features of TunnesshClient include:
- Reverse SSH communication with attacker infrastructure
- Functionality as a SOCKS5 proxy
- Enabling covert remote command execution
- Supporting additional payload delivery
This capability significantly increases the attacker’s control over infected machines.
Additional Payloads
Besides the custom stealer and backdoor, the campaign has also been observed delivering variants of the Vidar stealer, a well-known credential-stealing malware family.
These variants include code obfuscation techniques, which help evade detection by security tools.
Attribution Indicators
Several indicators suggest possible links to Russian-speaking threat actors:
- Malware code includes Russian-language comments and log messages
- Some associated IP addresses are located in Russia
- Multiple compiled versions of the malware have been identified
However, definitive attribution remains uncertain.
Evasion and Technical Sophistication
BoryptGrab demonstrates multiple characteristics associated with modern malware operations:
- Dynamic payload staging
- Encrypted payload components
- Anti-virtual machine (anti-VM) checks
- Anti-debugging mechanisms
These techniques make analysis more difficult and allow the malware to evade automated detection systems.
Security Implications
The BoryptGrab campaign highlights a growing trend where attackers exploit trusted developer ecosystems and open-source platforms to distribute malware.
Key risks include:
- Trust abuse of platforms such as GitHub
- Increased effectiveness through SEO manipulation
- Rapid distribution through numerous repositories
- Multi-stage payload delivery enabling adaptable attacks
The presence of dozens of repositories and continuously changing builds suggests the campaign is actively maintained and evolving.
Conclusion
BoryptGrab represents a sophisticated malware campaign that combines social engineering, search engine manipulation, and multi-stage malware delivery to target Windows users. By leveraging fake GitHub repositories and free-software lures, attackers exploit user trust in open-source ecosystems.
With capabilities ranging from credential theft and cryptocurrency wallet harvesting to persistent backdoor access, the malware poses a significant risk to individuals and organizations. The campaign demonstrates how modern threat actors increasingly rely on legitimate platforms and large-scale distribution tactics to maximize infection success while evading detection.
