Over 100 GitHub Repositories Distributing BoryptGrab Stealer – Cyber Tech

A brand new info stealer has been distributed by means of a community of greater than 100 GitHub repositories, Pattern Micro studies.

Dubbed BoryptGrab, the malware can harvest browser and cryptocurrency pockets information, together with system info and person information.

Moreover, sure iterations of the stealer can drop a backdoor dubbed TunnesshClient, which makes use of an SSH tunnel for command-and-control (C&C) communication.

Pattern Micro’s investigation into BoryptGrab revealed the existence of a number of ZIP archives masquerading as free software program instruments which have been distributed since late 2025 by means of the GitHub repositories.

All recognized binaries contained related Russian-language feedback and URL-fetching logic, though the malware’s execution logic was not the identical for all ZIP archives.

In some instances, DLL sideloading was used for execution, leveraging an executable inside the archive, whereas in others, VBS Script was used to fetch the launcher’s executable. A .NET executable, a Golang downloader named HeaconLoad, and different execution paths had been additionally noticed.

BoryptGrab is a C/C++ info stealer that features VM and anti-analysis checks and makes an attempt to execute with elevated privileges.

It could harvest info from near a dozen browsers, makes use of Chrome App Sure Encryption strategies from two GitHub repositories, and downloads a Chromium helper to gather info from the focused browsers.

It could additionally accumulate information from desktop cryptocurrency pockets purposes and browser extensions, harvest system info, take screenshots, and accumulate information with particular extensions.

Moreover, Pattern Micro found that the stealer can acquire Telegram information, browser passwords, and, in newer iterations, Discord tokens. All of the harvested info is archived and despatched to the attacker’s C&C server.

Among the recognized variants additionally deploy the TunnesshClient backdoor, which in different instances is dropped utilizing totally different downloaders.

TunnesshClient can execute instructions offered by the attacker by way of a reverse SSH tunnel. Primarily based on these, the malware acts as a SOCKS5 proxy, executes shell instructions, lists information, searches for information, uploads and downloads information, or sends total folders to the attacker’s server.

“The BoryptGrab marketing campaign illustrates an evolving risk ecosystem concentrating on customers by means of misleading software program downloads and pretend GitHub repositories,” Pattern Micro notes, including that the operation exhibits an rising degree of engineering sophistication.

Associated: ‘Arkanix Stealer’ Malware Disappears Shortly After Debut

Associated: ‘SolyxImmortal’ Data Stealer Emerges

Associated: Lumma Stealer Exercise Drops After Doxxing

Associated: Lots of Focused in New Atomic macOS Stealer Marketing campaign