A new cyber threat identified as BoryptGrab is leveraging a network of over 100 GitHub repositories to spread its malicious software, according to cybersecurity firm Trend Micro. This malware poses a significant risk by targeting sensitive data from various sources including web browsers and cryptocurrency wallets.
Characteristics of the BoryptGrab Stealer
BoryptGrab is designed to extract a wide range of information from infected systems. It can gather data from numerous web browsers and cryptocurrency wallet applications, while also collecting system details and user files. Furthermore, some versions of BoryptGrab are capable of deploying a backdoor called TunnesshClient, which facilitates command-and-control communication through an SSH tunnel.
Trend Micro’s research uncovered that BoryptGrab disguises itself as free software tools within ZIP archives on GitHub, a tactic it has used since late 2025. These archives share common characteristics, such as Russian-language comments and URL-fetching logic, although the methods of execution vary across different instances.
Technical Details and Execution Methods
The BoryptGrab malware utilizes multiple strategies for execution, including DLL sideloading and VBS scripts to launch its executables. Observations also included the use of a .NET executable and a Golang downloader known as HeaconLoad. This variety in execution methods reflects the malware’s adaptability and sophistication.
Additionally, BoryptGrab incorporates advanced checks to evade detection, such as VM and anti-analysis tests, and attempts to run with elevated privileges. It employs Chrome App Bound Encryption techniques and downloads a Chromium helper to gather data from targeted browsers. The malware also harvests files from desktop cryptocurrency wallets and browser extensions.
Impact and Security Implications
The BoryptGrab campaign highlights a growing threat to users who unknowingly download deceptive software from seemingly legitimate GitHub repositories. This operation is part of a broader trend towards more sophisticated and engineered cyber threats. Trend Micro notes that the evolving nature of BoryptGrab, including its ability to obtain Telegram files, browser passwords, and Discord tokens, indicates a significant advancement in malware capabilities.
In conclusion, the BoryptGrab malware campaign underscores the importance of maintaining robust cybersecurity measures and vigilance against deceptive software downloads. Users are encouraged to exercise caution when accessing software repositories and to implement comprehensive security solutions to protect against such threats.
