Trend Micro researchers have identified BoryptGrab, a new Windows stealer malware distributed through over a hundred fake, SEO-optimized GitHub repositories posing as free software tools and game cheats. The infection chain begins when users download a ZIP file from a deceptive GitHub Pages download site. The malware harvests browser credentials, cryptocurrency wallet data, system information, Telegram files, Discord tokens, and screenshots. It also delivers TunnesshClient, a PyInstaller-based backdoor that establishes a reverse SSH tunnel and acts as a SOCKS5 proxy, enabling the attacker to execute commands and exfiltrate files. Additional payloads include variants of the Vidar stealer with code obfuscation and a Golang downloader called HeaconLoad. Russian-language comments, log messages, and associated IP addresses suggest a Russian-origin threat actor. The campaign has been active since at least April 2025 and continues to evolve with multiple build variants.
Sort: