The BoryptGrab campaign uses fake SEO‑optimized GitHub repositories and deceptive download pages to distribute a data‑stealing malware family that delivers multiple payloads, including a reverse SSH backdoor, to Windows users.

Trend Micro Blog offers insights, analysis, and updates on cybersecurity threats, trends, and best practices. Covering topics such as malware analysis, threat intelligence, and cybersecurity risk management, Trend Micro Blog provides resources for IT security professionals, helping them stay ahead of emerging threats and protect their organizations from cyber attacks.

Trend Micro

Trend Micro researchers have identified BoryptGrab, a new Windows stealer malware distributed through over a hundred fake, SEO-optimized GitHub repositories posing as free software tools and game cheats. The infection chain begins when users download a ZIP file from a deceptive GitHub Pages download site. The malware harvests browser credentials, cryptocurrency wallet data, system information, Telegram files, Discord tokens, and screenshots. It also delivers TunnesshClient, a PyInstaller-based backdoor that establishes a reverse SSH tunnel and acts as a SOCKS5 proxy, enabling the attacker to execute commands and exfiltrate files. Additional payloads include variants of the Vidar stealer with code obfuscation and a Golang downloader called HeaconLoad. Russian-language comments, log messages, and associated IP addresses suggest a Russian-origin threat actor. The campaign has been active since at least April 2025 and continues to evolve with multiple build variants.

New BoryptGrab Stealer Targets Windows Users via Deceptive GitHub Pages