Trend Micro published research on March 5, 2026 documenting a campaign that leverages more than 100 public GitHub repositories to distribute the BoryptGrab information stealer. The campaign has been active since at least April 2025, with the earliest malicious ZIP file samples dating to late 2025.
Distribution Method
Attackers created GitHub repositories with README files stuffed with SEO keywords, causing them to rank near legitimate projects in search engine results. In one documented case, a fake "Voicemod Pro download" repository ranked immediately below the legitimate Voicemod result on Google.
The lures include game skin changers (CS2, Valorant), voice modification tools, cracked software, and generic productivity applications. Victims are directed through a chain of encoded URLs to a fake download page that generates a ZIP archive containing the malware. Execution methods include DLL sideloading via bundled executables and VBS script downloaders that hide commands in integer arrays.
Malware Capabilities
BoryptGrab is a C/C++ information stealer that accepts command-line arguments (--output-path, --build-name) for operational tracking. Its confirmed capabilities include:
- Browser data — credentials, cookies, and passwords from Chrome, Firefox, Edge, Opera, Brave, and Yandex
- Cryptocurrency wallets — desktop applications including Exodus, Electrum, Ledger Live, Atomic, Binance, Wasabi, and Trezor (30+ targets)
- System information — CPU, RAM, GPU, OS version, installed software
- Screenshots — full screen capture
- Telegram and Discord — chat file extraction and Discord token harvesting (newer variants)
- File grabbing — collects files with specific extensions from common directories
Alternative Payloads
The same distribution infrastructure delivers additional malware alongside BoryptGrab:
- TunnesshClient — a PyInstaller reverse SSH tunnel backdoor with SOCKS5 proxy functionality, using challenge-response authentication via
/api/get_challengeand/api/get_credentialsendpoints - Vidar Stealer — an established information stealer targeting browser credentials and crypto wallets
- HeaconLoad — a Golang downloader that maintains persistence via Registry modification and scheduled tasks
Infrastructure Indicators
Russian-language comments and log messages appear throughout the campaign infrastructure. Attackers use hardcoded "build names" (including tags like CryptoByte, Yaropolk, Sonic, and others) to track infection performance across distribution channels, functioning as a marketing funnel analytics system for malware delivery.