Trend Micro researchers have uncovered a large-scale malware distribution campaign using over 100 GitHub repositories to spread BoryptGrab, an information stealer that targets browser credentials, cryptocurrency wallets, and sensitive files while deploying reverse SSH backdoors for persistent access.
The campaign leverages the trust users place in GitHub to distribute malware disguised as legitimate software tools, game cheats, and utilities. Threat actors create deceptive repositories with SEO-optimized README files designed to rank alongside legitimate software in search results, luring victims seeking free downloads.
Attack Infrastructure and Distribution
According to Trend Micro’s research, the malicious repositories follow consistent naming patterns including “github-io” strings that mimic legitimate GitHub Pages projects. Evidence including Russian-language comments in the code and infrastructure indicators suggests the threat actors may have Russian origins.
One documented example mimics a Voicemod Pro download page, directing visitors through encoded URL chains until reaching a fake download page that generates ZIP archives containing the malware payload.
Multiple Infection Vectors
The downloaded ZIP files employ several infection methods:
- DLL Side-Loading: An executable loads a malicious libcurl.dll that decrypts a hidden launcher payload
- VBS Downloader: Scripts hide PowerShell commands inside integer arrays, with some variants adding Microsoft Defender exclusions
- .NET Loader: Alternative delivery mechanism using embedded scripts
- HeaconLoad: A Golang downloader that maintains persistence via registry entries and scheduled tasks
The launcher uses build names such as “Shrek,” “Leon,” or “CryptoByte” to request specific payloads and establishes scheduled tasks for persistence.
BoryptGrab Stealer Capabilities
BoryptGrab is a C/C++ information stealer with comprehensive data collection capabilities. Before harvesting data, it performs anti-analysis checks including virtual machine detection through registry queries and file checks, process name comparison against a predefined list, and privilege escalation attempts.
Data Targeted by BoryptGrab:
- Browser Data: Chrome, Edge, Firefox, Opera, Brave, Vivaldi, and Yandex—using techniques to bypass Chrome’s App-Bound Encryption
- Cryptocurrency Wallets: Exodus, Electrum, Ledger Live, Atomic, Binance, Wasabi, and Trezor
- System Information: Screenshots, installed applications, and system details
- Files: Documents with specific extensions from common directories via a “file grabber” module
- Application Data: Telegram files, Discord tokens (in newer variants), and browser passwords
TunnesshClient Backdoor
Some BoryptGrab variants deploy TunnesshClient, a PyInstaller backdoor that establishes a reverse SSH tunnel to attacker-controlled infrastructure. This enables:
- Remote command execution
- File transfer capabilities
- Use of the infected system as a network proxy
Defensive Recommendations
Organizations and developers should implement the following protections:
- Verify software downloads through official vendor channels only
- Be suspicious of GitHub repositories offering free commercial software or game cheats
- Check repository creation dates, commit history, and contributor authenticity
- Deploy endpoint detection and response (EDR) solutions capable of identifying DLL side-loading and scheduled task manipulation
- Monitor for suspicious PowerShell execution and encoded command patterns
- Implement application allowlisting to prevent execution of unknown binaries
The BoryptGrab campaign demonstrates how threat actors increasingly abuse trusted platforms like GitHub to distribute malware, highlighting the need for vigilance when downloading software from any source—even those traditionally considered legitimate.
