Through a network of phony GitHub repositories, a new data-stealing malware known as BoryptGrab has been covertly propagating throughout Windows systems, fooling users into downloading what seem to be well-known free software programs. The campaign, which has been going on since at least April 2025, entices gullible victims into a carefully crafted infection chain that ends with sensitive data being silently sent to the attacker by using search engine manipulation to make these malicious repositories appear legitimate. The threat actor created more than a hundred public GitHub repositories, each of which pretended to be a free download page for a variety of tools, including productivity apps, cracked software, and game cheats.
In order to rank close to the top of search engine results, these repositories use SEO-optimized keywords in their README files, frequently showing up next to valid results. When a user clicks on a download link on one of these pages, they are sent through a number of redirections, including base64-encoded and AES-encrypted URLs, before arriving at a phony download page that creates and sends a malicious ZIP file. Windows Defender's exclusion path is configured by the VBS downloader (Source: Trend Micro).
It extracts protected browser credentials using Chrome App Bound Encryption bypass code that was taken from public GitHub repositories. It gathers all the information it can access, packages it into an archive, and discreetly transmits it to the attacker upstream.
Users should refrain from downloading free tools from unidentified GitHub repositories and only download software from reputable, official sources. Security teams should keep an eye out for unusual outbound traffic to unidentified servers, abrupt changes to Windows Defender exclusions, and unforeseen scheduled tasks. Exposure to such campaigns will be greatly decreased by making sure that software downloads are verified and endpoint security tools are kept up to date.
