Emerging Threat: BoryptGrab Malware Leverages Deceptive GitHub Repositories for Data Theft
In an ongoing cyber attack campaign, a new malware known as BoryptGrab is being disseminated through a network of fraudulent GitHub repositories. These repositories masquerade as free utilities, gaming cheats, and popular tools, preying on unsuspecting users looking for seemingly legitimate downloads. The malware primarily focuses on pilfering sensitive browser data, cryptocurrency wallet information, and detailed system specifications, while also capturing screenshots, Telegram data, Discord tokens, and saved passwords.
The threat actors behind this malicious campaign have set up over a hundred public GitHub repositories, ingeniously employing SEO-optimized READMEs. This strategic maneuver is intended to boost their visibility in search engine results, placing them alongside authentic projects. These fraudulent repositories promote a variety of enticing downloads, including tools like the “Voicemod Pro download tool,” “Valorant performance boost,” and “CS2 skin changers.” Often, they utilize ZIP file names that feature “github-io” to lend an air of legitimacy.
Once a victim clicks the README link, they are unwittingly redirected through GitHub-hosted pages adorned with Russian comments and employing intricate base64/AES URL redirection tactics. This elaborate redirection ultimately leads them to a counterfeit GitHub download page that dynamically generates a malicious ZIP archive containing the malware.
The campaign itself dates back to at least April 2025, as evidenced by the timestamps of repository commits, with malicious ZIP samples surfacing from late 2025. This indicates a mature and evolving ecosystem behind the operation rather than a fleeting threat. Inside the malicious ZIP files, the infection can initiate either through a DLL side-loading chain or through a VBS/PowerShell downloader that fetches a launcher executable from compromised servers.
These launchers frequently communicate with the canisters over port 5466, passing information such as “build names” including intriguing identifiers like Shrek, Leon, CryptoByte, Sonic, or Yaropolk to solicit particular payloads and track infection vectors.
Understanding the Mechanics of BoryptGrab
BoryptGrab is designed as a C/C++ information stealer, equipped with checks to evade virtual machines and security analysis. The malware inspects registry keys and process names prior to executing its theft agenda. URLs across identified GitHub repositories exhibit similar patterns, often featuring Russian-language comments and URL-fetching logic, indicating a concerted and organized effort.
The malware boasts versatile capabilities, employing various methods such as executable side-loading of a malicious libcurl.dll. This library decrypts an embedded launcher payload utilizing XOR and AES-CBC encryption techniques before executing it to download the primary BoryptGrab stealer and additional payloads. VBS scripts located within the ZIP file decode PowerShell commands, implement Microsoft Defender exclusions, and retrieve a C/C++ launcher that eventually downloads BoryptGrab via HTTP requests.
More sophisticated variants utilize a .NET stub that embeds a base64-encoded VBS downloader, or even integrate a Golang-based downloader called HeaconLoad directly within the ZIP. HeaconLoad establishes persistence via registry entries and scheduled tasks, communicating with the attacker’s server through HTTP POST requests, while facilitating the download and execution of further malicious bundles.
The Data Theft Landscape
BoryptGrab primarily aims to harvest browser credentials, targeting well-known browsers like Chrome, Edge, and Firefox. It leverages techniques found in public projects to circumvent Chrome App-Bound Encryption, thereby decrypting stored passwords. Compounding its capabilities, the stealer logs installed applications and implores command-line arguments to dictate where to store stolen information.
In addition to browser data, the malware aggressively searches directories for popular cryptocurrency wallet files, including those from Exodus, Electrum, and Binance. It not only gathers these files but also captures screenshots, compiles system data, and runs a Filegraber module to seek out specific file extensions from common directories.
Beyond simple data retrieval, BoryptGrab extends its tentacles to pilfer Telegram data and Discord tokens from its victims, significantly enhancing the potential for account takeover incidents. Upon completing the data collection phase, the malware compresses the gathered information and uploads it to the attackers’ infrastructure, potentially retrieving and executing TunnesshClient as a means of securing long-term access.
Identifying the Threat and Future Implications
The use of Russian-language comments and specific IP address origins suggests that a Russian-speaking threat actor orchestrates this campaign, although definitive attribution has yet to be confirmed. For cybersecurity professionals and defenders, BoryptGrab exemplifies the complexity and growing sophistication of malware operations.
The combination of SEO-poisoned GitHub repositories, multi-layered downloader architecture, and robust backdoor capabilities underscores the urgent need for vigilance. Organizations must adopt stringent application controls and maintain a close eye on outbound HTTP and SSH traffic patterns to mitigate risks associated with this evolving threat.
As the digital landscape continues to offer opportunities for both legitimate developers and cybercriminals, the cautionary tale of BoryptGrab serves as a stark reminder of the importance of cybersecurity education, proactive defense strategies, and the need for ongoing vigilance against deceptive software downloads masquerading as legitimate tools.