New Windows Stealer "BoryptGrab" Spreads via Fake GitHub Repositories in Large-Scale Campaign A sophisticated malware campaign is distributing BoryptGrab, a Windows information stealer, through fake GitHub repositories masquerading as free tools, game cheats, and cracked software. The operation, active since at least April 2025, leverages SEO-optimized README files to rank malicious repositories near legitimate projects in search results, tricking users into downloading infected ZIP archives. ### How the Attack Works Attackers have created over 100 public GitHub repositories advertising enticing but fake software, including: - "Voicemod Pro download tool" - "Valorant performance boost" - "CS2 skin changers" - Cracked utilities and cheat-style tools Victims are redirected through GitHub-hosted pages containing Russian-language comments and base64/AES-based URL redirection logic, ultimately landing on a fake GitHub download page that dynamically generates a malicious ZIP file. ### Infection Chain & Malware Capabilities Once executed, the malware employs multiple infection vectors: - DLL side-loading (via a malicious `libcurl.dll` that decrypts an embedded launcher using XOR + AES-CBC). - VBS/PowerShell downloaders that bypass security controls (e.g., adding Microsoft Defender exclusions) and fetch the BoryptGrab stealer from attacker-controlled servers. - Golang-based downloader (HeaconLoad), which persists via Run-key registry entries and scheduled tasks, beaconing to command-and-control (C2) servers on port 8088. - TunnesshClient, a PyInstaller-packed backdoor that establishes reverse SSH tunnels, allowing attackers to execute commands, exfiltrate files, or use the victim as a SOCKS5 proxy. Some variants also deliver obfuscated Vidar stealer payloads via an `/api/custom_exe?build={BUILD_NAME}` endpoint, using XOR encryption and dynamic API resolution to evade detection. ### What BoryptGrab Steals The C/C++-based stealer includes anti-VM and anti-analysis checks and targets: - Browser data (Chrome, Edge, Firefox, Opera, Brave, Vivaldi, Yandex, etc.), including stored passwords (bypassing Chrome’s App-Bound Encryption). - Cryptocurrency wallets (Exodus, Electrum, Ledger Live, Atomic, Binance, Trezor, and dozens more). - System details, screenshots, Telegram data, and Discord tokens. - Files with specific extensions (via a "Filegraber" module). - Installed applications and hardcoded timestamps. Collected data is compressed and exfiltrated to attacker servers, often followed by the deployment of TunnesshClient for persistent remote access. ### Attribution & Infrastructure - Russian-language comments and log strings in malware components, along with Russian-hosted IP addresses, suggest a Russian-speaking threat actor, though formal attribution remains unconfirmed. - C2 servers communicate over ports 5466 and 8088, with build names (e.g., Shrek, Leon, CryptoByte, Sonic, Yaropolk) used to track infection branches. The campaign demonstrates a mature, evolving ecosystem, combining SEO poisoning, multi-stage downloaders, and SSH-based backdoors to maximize persistence and data theft.