BoryptGrab Malware Spreads Through 292 Fake GitHub Repositories
A fake GitHub repository campaign created hundreds of malicious projects that impersonated legitimate software and cybersecurity tools. The repositories directed users to deceptive download pages that distributed the BoryptGrab infostealer through DLL side-loading.
Arctic Wolf discovered the operation after finding that attackers had impersonated one of its products starting on June 26. Researchers identified 292 malicious GitHub repositories connected to the campaign.
Fake GitHub Repositories Impersonated Trusted Projects
Each repository appeared to offer legitimate software, security products, or premium applications. The attackers copied product names and branding to make the repositories look authentic.
The README files contained links that sent visitors to external download pages. These pages copied visual elements from the impersonated products and displayed messages such as “Download Secure Content.”
The sites also included fake trust badges designed to convince users that the downloads had been verified.
A script on each landing page extracted information from the URL. It used this data to identify the referring GitHub repository and automatically generate the corresponding product branding.
This system allowed the attackers to reuse the same infrastructure across hundreds of fake projects.
Malicious ZIP Files Changed Every Minute
The download pages delivered large ZIP archives whose names and contents changed approximately once per minute. This frequent rotation may have helped the campaign avoid simple file-based detection.
Each archive contained two important files: a legitimate and digitally signed WinGUP updater and a malicious file named libcurl.dll.
The attackers renamed the legitimate updater executable to match the software advertised by the fake repository.
When a victim launched the executable, the trusted WinGUP updater loaded the malicious DLL from the same folder. This technique, known as DLL side-loading, allowed the attackers to execute malicious code through a legitimate signed application.
The trojanized DLL then decoded an embedded infostealer and ran it directly in memory.
BoryptGrab Steals Browser and Wallet Data
Researchers believe the malware belongs to the BoryptGrab infostealer family.
The malware targets passwords, authentication cookies, payment information, browsing data, and other sensitive information stored by more than 19 web browsers.
It also searches for data connected to 32 cryptocurrency wallet brands. This includes wallet credentials, recovery information, and other files that could help attackers steal digital assets.
BoryptGrab also targets several communication and gaming platforms. It attempts to collect:
- Telegram sessions
- Discord tokens
- Steam session tokens
- Credentials from Meta’s Max messaging application
- Data stored in Windows Credential Manager
The malware can use stolen session tokens to access accounts without requiring the victim’s password in some cases.
Infostealer Searches Documents for Recovery Phrases
The malware searches the Desktop and Documents folders for files that may contain passwords, cryptocurrency recovery phrases, wallet information, or backups.
BoryptGrab also captures screenshots, collects system information, and creates a list of installed software. This information can help attackers understand the infected system and identify additional accounts or applications worth targeting.
After collecting information, the malware compresses the stolen data and sends it to a command-and-control server hosted in Russia.
BoryptGrab does not attempt to maintain long-term persistence on the infected device. Instead, it tries to gather as much information as possible during a single execution.
This approach reduces the time the malware remains active but still gives attackers an opportunity to steal browser credentials, cryptocurrency wallet data, session tokens, files, and screenshots.
However, the malware does not use advanced anti-analysis or evasion protections.
It also leaves behind the temporary folder used to stage and compress stolen information. Security teams may use this folder and other artifacts to identify compromised systems.
These operational weaknesses can make BoryptGrab easier for researchers to analyze and for security products to detect.
GitHub Removed Hundreds of Malicious Repositories
GitHub removed many of the malicious repositories after receiving a report about the campaign.
However, several dozen GitHub Pages redirectors reportedly remained active when Arctic Wolf published its findings. These pages could still direct users toward malicious download infrastructure even after the original repositories disappeared.
Researchers could not link the operation to a specific threat actor. Based on the infrastructure and other campaign details, they believe the operator is likely Russian-speaking and financially motivated.
GitHub Continues to Face Malware Campaigns
This is not the first time attackers have used GitHub to distribute malware or impersonate legitimate developer tools.
A malicious version of Claude Code was redistributed through the platform several months ago. A separate malicious Visual Studio Code extension also exposed data from around 3,800 repositories.
Microsoft also restored 73 GitHub repositories following an incident connected to the Miasma Attack.
These incidents show how attackers continue to exploit trusted development platforms, open-source branding, and familiar software names to reach developers and other technical users.
Via BleepingComputer
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
User forum
0 messages