New BoryptGrab Stealer Targets Windows Users via Deceptive GitHub Pages

New BoryptGrab Stealer Targets Windows Users via Deceptive GitHub Pages | Trend Micro (US)

Content has been added to your Folio

Malware

The BoryptGrab campaign uses fake SEO‑optimized GitHub repositories and deceptive download pages to distribute a data‑stealing malware family that delivers multiple payloads, including a reverse SSH backdoor, to Windows users.

By: Mingyue Shirley Yang

Mar 05, 2026

Read time: ( words)

BoryptGrab is a newly identified stealer that harvests browser data, cryptocurrency wallet information, and system information. It is also capable of capturing screenshots, collecting common files, and extracting Telegram information, Discord tokens, and passwords.
The malware is distributed through a large number of public Github repositories that purport to offer software tools for free, using SEO keywords to attract victims. The infection chain is initiated when ZIP file is downloaded from a fake GitHub download page.
Malware code from different stages of the attack contains Russian-language comments and/or log messages. IP addresses associated with the campaign are also located in Russia, suggesting a possible origin for the attacker. Different builds of the malware have also been observed in the campaign.
TunnesshClient is a new backdoor delivered during the attack chain. It is a PyInstaller executable that establishes a reverse SSH tunnel to communicate with the attacker and acts as a SOCKS5 proxy. This campaign can also deliver variants of the existing Vidar stealer with code obfuscation.

We recently found the existence of a new stealer binary that collects browser and cryptocurrency wallet data, system information, and common files, among others. We designated this new stealer BoryptGrab. Certain variants of the stealer can download a PyInstaller backdoor, which we refer to as TunnesshClient. TunnesshClient establishes a reverse Secure Shell (SSH) tunnel to enable comunication with the attacker.

By tracing the infection chain, we were able to observe several ZIP archive files in the wild (all with similar naming conventions) that masquerade as common software tools (including gaming cheat hacks). As the “github-io” patterns in some ZIP file names suggest, searching for the software tool patterns leads to over a hundred public Github repositories delivering malware. The earliest ZIP file we identified dates to late 2025, while the initial commit of the earliest GitHub repository account was made in April 2025.

The following list is a sample of ZIP files without “github-io” in their filename:

valorant performance boost fps booster 5.4.9.zip
voicemod pro download tool 8.2.1 1 .zip
wondershare info feel 8.4.3.zip
sk1nchangerforcs24pc 5.8.0.zip
cod black ops 6 aimbot with esp tool 4.2.4.zip
abi free esp tool download 9.0.0.zip
arenabreakoutcheat 8.6.2.zip
git deployer app 7.7.2.zip
valorant skin tool 4.1.3.zip
filmora watermark remover 8.6.7.zip
sk1nchangerforcs24pc 2.9.5.zip
r6siege free esp tool 1.8.9.zip

Meanwhile, the following are examples of ZIP files with “github-io” in their filename:

vmware-download-github-io-4.83.4.zip
passathook-cs2-github-io-1.96.4.zip
meta-skins-github-io-6.98.9.zip
cs2-skin-changer-premium-github-io-1.88.9.zip
passathook-cs2-github-io-2.56.2.zip

In the following sections, we will provide detailed analysis for the delivered BoryptGrab stealer, the TunnesshClient backdoor, and other malware observed in the campaign. We will also include in-depth analysis of the attack chains and delivery routes of the malware. The Russian comments, log messages, and IP addresses found during different stages of the attack chain indicates potential a Russian background for the threat actor.

Figure 1. Attack chain for the BoryptGrab campaign

The malware was initially distributed through public Github repositories offering free, seemingly legitimate software tools. The README files for some of these repositories contain SEO keywords designed to increase their ranking for results returned by search engines. An example is a repository is located at hxxps://github[.]com/Voicemod-Pro-Download-Tool, which delivers a fake Voicemod Pro tool. The Google search rankings for this repository was just below the legitimate result.

Figure 2. README page for the malicious Voicemod Pro Github repository

The README of the fake Voicemod Pro Github repository contains the download link to the hxxps://voicemod-pro-download-tool.github[.]io/.github/ page. The source code for this download page is located at hxxps://github[.]com/Voicemod-Pro-Download-Tool/.github , where it masquerades as a legitimate .github directory.

Figure 3. Code for the fake download tool in the “.github” repository

The index.htm web page contains Russian comments and redirects to the home.html page. The home.html page fetches and decodes a base64-encoded URL from a link hardcoded in its source code (i.e. hxxps://kiamatka[.]com/kaiok.kakman in the current sample). It then redirects to the decoded URL.

Figure 4. Fetch and base64-decode a URL used for redirection in home.html

Finally, the intermediate URL redirects to the hxxps://best-tinted[.]com/github-download.html web page that generates a ZIP file to deliver the malware.

Figure 5. Fake Github download page that generates the malicious ZIP file

Although the hardcoded links in the source code and the fetched intermediate URLs vary across the GitHub repositories we identified, similar Russian-language comments and URL-fetching logic were also present in other GitHub repositories we found for this campaign. Many of these repositories also fake different tools , which lead to the same web pages that generate malicious ZIP files. The index.html files in some GitHub variants (e.g. hxxps://github[.]com/PassFab-4WinKey-Windows-Password-Reset) send tracking information to the attacker.

Commit history for a few GitHub repositories (such as hxxps://github[.]com/Yim-Mod-Menu/.github) show the deletion of a script.js file. The deleted file fetches a URL from an intermediate link and then redirects to the fetched URL.

In other GitHub repositories, scripts.js files are used to fetch, AES-decrypt, and redirect to a URL (such as hxxps://github[.]com/Arena-Breakout-Infinite-ESP/.github). The scripts.js files use Base64-encoded links to fetch the encrypted URLs.

There were also several GitHub repository variants (e.g. hxxps://github[.]com/Graphic-Editor-Krita/.github) with recent commits that added Python scripts to simulate the download process.

A list of GitHub repositories we discovered for this campaign is included in the IoC section.

The distributed ZIP file variants can contain an executable that side-loads a libcurl.dll file (SHA256: fa767391b99865f8533efc1fe6dfa6175215718679fb00ca85fc13c3bd4ae4b7).

The libcurl.dll file (SHA256: fa767391b99865f8533efc1fe6dfa6175215718679fb00ca85fc13c3bd4ae4b7) loads a payload (SHA256: d295720bc0c1111ce1c3d8b1bc1b36ba840f103b3ca7e95a5a8bf03e2cc44fe5) from its resource section. It then decrypts a launcher payload from its resource section using XOR operations and the AES algorithm in CBC mode.

Figure 6. The launcher payload is loaded from its resource section by libc.dll

Figure 7. The launcher payload is decrypted by libc.dll

The libcurl.dll file executes the EntryWrapper export function from the decrypted launcher payload.

The decrypted launcher payload, which uses XOR-decryption to obfuscate the URLs for its download targets, downloads the BoryptGrab stealer (:5466/api/chromelevator).

Some launcher payload variants contain build names (with some differing from each other) . The launcher payload passes the build name as the “-b” argument when executing the BoryptGrab stealer it downloads. As an example, the build name shown in the following figure is “Shrek”.

Figure 8. The launcher payload sends the build name argument to the downloaded BoryptGrab stealer

The launcher variants can send requests with a hardcoded build name to download other files (:5466/api/custom_exe?build={BUILD_NAME}). These files are variants of the Vidar stealer (as discussed in later sections).

Figure 9. Traffic from launcher to download Vidar stealer

Several build names have been observed in the wild for the “/api/custom_exe?build={BUILD_NAME}”requests to download Vidar variants:

CryptoByte
Kassay
Leon
NeoWho
Shrek
Sonic
Yaropolk
Yarostnick

The launcher payload also downloads a Pyinstaller executable from the attacker’s server (:5466/api/client) which we named TunnesshClient. The launcher payload schedules tasks that use .xml files at %TEMP%client_task_system.xml and %TEMP%client_task_user.xml to execute the downloaded TunnesshClient.

Figure 10. The launcher creates a scheduled task for the downloaded TunnesshClient

The launcher payload can also download an executable — a binary written in Golang (which we dubbed as HeaconLoad) from “:5466/api/lodik”. . It further downloads and runs another executable.

Figure 11. Traffic from the launcher to download HeaconLoad

Some ZIP file variants can contain a VBS downloader that further delivers other malware. We used one VBS downloader script containing unused variables as junk code for obfuscation (SHA256: 1bd605ef84b6767df74bd6290f1468eed5a88264df23fcf70b6a75d5bdcf7d76) for demonstration.

The VBS script uses integer arrays to represent strings. It contains a function “A” that converts integer arrays to their corresponding strings. The script also includes a function named EnsureElevatedPrivileges for privilege escalation.

The strings converted from integer arrays are encoded PowerShell payloads. The final decoded command in the VBS script downloads and Base64-decodes a binary executable from hxxps://botshield[.]vu/kFcjld.

Figure 12. VBS downloader downloads and executes file from attacker

The inal deobfuscated commands in the VBS script can also set Microsoft Defender exclusions to prevent the C: drive from performing anti-virus scanning.

Figure 13. The VBS downloader configures exclusion path for Windows Defender

The file downloaded and decoded by the VBS script is a C/C++ launcher binary that further downloads the BoryptGrab stealer by sending an HTTP request (/api/{BUILD_NAME}) with a build name. The following image shows the HTTP request from a C/C++ launcher variant (SHA256:15de71073f44c657c23f5f97caa11f1b12e654d4d17684bfc628cc1e5b6bcdd5) with the build name “CryptoByte”. Different build names have also been observed for different launcher variants. These build names correspond to the build name values hardcoded in the BoryptGrab samples as described in later sections.

Figure 14. Traffic from the launcher binary to download the BoryptGrab stealer

In this attack chain, variants of the downloaded BoryptGrab (SHA256: 4e90d386c1c7d3d1fd4176975795a2f432d95685690778e09313b4a1dbab9997) can download TunnesshClient themselves rather than letting the launcher binary download it.

In some variants, a .NET executable (SHA256: 4264a88035aa0b63e9aef96daa78a58114d60a344ea10168a8ef5ef36bf8edbd) is used to decode and run a Base64-encoded VBS downloader (SHA256: 433a13cc70396f80dc29d1150c050339d78964fdc91bcdc3f40c67a77add1476). In the sample we analyzed, the VBS downloader downloads and executes a binary executable from “hxxps://botshield[.]vu/KKRkm9”.

Figure 15. The .NET binary embeds a Base64-encoded VBS downloader

Variants of the launcher (SHA256: 7f2315b89fb9a47e1516def136844d617bfcdce19000a1b0436706692dbe166c) can download files from “:5466/api/app” or “:5466/api/app.zip” depending on its privilege. Meanwhile, another launcher variant (SHA256: 449f528f5ceae8c3f8336d0d8e3e3ec9031d1ad67c31ee7311b67e01d5fdf225) can also download the payload from “:5466/api/payload”. A third variant we analyzed (SHA256: c40b9913e79c5dd09751b1afb03aaa98658bab61bacf27a299abd84fd44fe707) can also download TunnesshClient at “:5466/api/client2”.

Meanwhile, some Some zip file variants can directly contain the HeaconLoad downloader to deliver malware.

The HeaconLoad sample (SHA256: 2abe0ef88ba92db79d82cde4c0ed1f382bb347517a54ea82084c841d0f955518) achieves persistence by adding a registry entry under the Run key and creating a scheduled task.

Figure 16. HeaconLoad achieves persistence

HeaconLoad sends beacon messages to the attacker via HTTP POST requests at “:8088/healthcheck”. Each beacon message contains collected system information along with a build tag value hardcoded in the HeaconLoad sample.

Figure 17. HeaconLoad sends a beacon message with build tag “yaropolk” to check for status of the bundle to download

The following are different hardcoded build tag values we have observed from HeaconLoad variants:

kylka
leon
shrek
sonic
voblya
yaropolk
yarostnick
yasno

HeaconLoad then checks fields such as “bundle_available” and “bundle_hash” in the attacker’s response to its HTTP POST request. These two fields respectively indicate whether a bundle is available for download and provide the hash value of the bundle to download for verification.

Figure 18. HeaconLoad checks the “bundle_available” field from attacker’s response

When a bundle is available, HeaconLoad further downloads and unzips a bundle archive from the attacker’s server. It executes the first executable found in the unzipped archive.

We observed Russian log messages in HeaconLoad samples.

Figure 19. Russian-language log message in HeaconLoad (translated as “data marshaling error”)

The binary executables downloaded from “/api/custom_exe?build={BUILD_NAME}” are variants of the existing Vidar stealer with code obfuscation.

The sample (SHA256: 2050468744e44554fac17fb83f1515c95f2f2236716e2b5267a81c2b94205e6a) possesses a functionality that sends HTTP POST requests with traffic patterns used by the Vidar stealer. It uses XOR-encrypted strings and contains opaque predicates with redundant code for obfuscation.

Figure 20. Vidar variant sends information.txt to the attacker via POST request

The Vidar variant also dynamically resolves its API for obfuscation and can also perform code injection or APC injection.

BoryptGrab takes an optional “–output-path”/”-o” argument that specifies the output directory to hold data it collects. Depends on the build, some variants of BoryptGrab (SHA256: fe4e5fb28d2c2b3a640112b6b125ce8c4afa8be28342e3bfda097ad9dd2ef9ee) also take an optional “–build-name”/“-b” command line argument as input. This input argument is used as the value of the “BUILD NAME” field when BoryptGrab outputs user information to the UserInformation.txt file. When no “–build-name” argument is provided, the BoryptGrab variant uses the default build name “NO_NAME”.

Figure 21. Arguments parsed by BoryptGrab

Meanwhile, some variants of BoryptGrab use hardcoded values for the “BUILD NAME” field in UserInformation.txt instead of parsing the “–build-name”/“-b” argument.

Figure 22. Hardcoded build name “CryptoByte” in BoryptGrab

Note that there are also BoryptGrab variants that do not contain hardcoded the “BUILD NAME” and do not parse the “–build-name”/“-b”. command line argument. They also do not write the “BUILD NAME” field to the UserInformation.txt file.

The following shows a list of build name values hardcoded in the BoryptGrab variants we have observed in the wild:

CryptoByte
Crypto_Byte
Data
Kassay
Leon
Pisechka
Shrek
Sonic
Sonic2
Sonic_new1
Sonic_new2
Yaropolk
Yarostnick
Yasno
bigdick
wm_detect

BoryptGrab detects whether it is executed in a virtual machine environment by querying registry entries and checking VM-related files.

As part of its anti-analysis check, BoryptGrab also compares the names of running processes against a predefined list. It also attempts to execute with elevated privilege.

When the “–output-path”/”-o” argument is not given, BoryptGrab formats a default output path name using the current time, public IP address, and country code. Later, a directory with this output path name is created to stage collected data.

BoryptGrab collects information from a list of browsers. It uses Chrome App Bound Encryption techniques and contains code from the following public GitHub repositories:

https://github[.]com/00nx/Chrome-App-Bound-Encryption-Bypass
https://github[.]com/xaitax/Chrome-App-Bound-Encryption-Decryption

The following are the list of browsers BoryptGrab collects information from:

Brave Browser
CentBrowser
Chromium
Google Chrome
Microsoft Edge
Mozilla Firefox
Opera
Vivaldi
Yandex Browser

BoryptGrab uses code similar to the loadAndDecryptPayload function in https://github[.]com/00nx/Chrome-App-Bound-Encryption-Bypass, while also containing a binary with an encrypted resource named “PAYLOAD_DLL”, as used by the GitHub repository.

The decrypted PAYLOAD_DLL resource in BoryptGrab contains logic from the Chrome-App-Bound-Encryption-Bypass public Github repository. The decrypted resource payload in BoryptGrab also contains functionality that collects browser data from Yandex and Firefox.

Figure 23. PAYLOAD_DLL payload in BoryptGrab collects passwords from the Yandex browser

The decrypted PAYLOAD_DLL payload also contains hardcoded timestamp information. It writes the timestamp along with installed application information to the “installed_applications.txt” file.

Figure 24. The PAYLOAD_DLL payload writes the hardcoded timestamp along with the installed applications

To help collect browser data, BoryptGrab downloads a Chromium helper (SHA256: ed1745cc49b929e499966d87e163219fe0f24069fe88dfacbd69c0ebab85a640) from “hxxp://45.93.20[.]61:5466/api/x32_chromium” and saves it to %TEMP% x32_chromium.exe.

Aside from browser data, BoryptGrab can harvest information from both desktop cryptocurrency wallet applications and browser extensions. BoryptGrab then captures a screenshot and collects system information.

Figure 25. Log messages for cryptocurrency wallet information in BoryptGrab

The following cryptocurrency wallet directories are targeted by BoryptGrab:

Armory Wallet
Atomic
AtomicDEX
Binance
Bitcoin Core
BitPay
Blockstream Green
Chia Wallet
Coinomi
Copay
Daedalus Mainnet
Dash Core
Dogecoin
Electron Cash
Electrum
ElectrumLTC
Ethereum
Exodus
GreenAddress
Guarda
Jaxx Desktop
Komodo Wallet
Ledger Live
Ledger Wallet
Litecoin Core
MEW Desktop
MultiDoge
MyEtherWallet
NOW Wallet
Raven Core
StakeCube
Trezor Suite
Wasabi Wallet

BoryptGrab also contains a “File Grabber” ability, where it collects files with specified extensions under common directories. It contains a misspelled word: “Filegraber”.

Figure 26. Examples of file extensions harvested by BoryptGrab

Finally, BoryptGrab collects Telegram files and browser passwords, with newer variants of BoryptGrab being able to gather Discord tokens.

After data collection, BoryptGrab archives and uploads its collected data to the attacker’s server.

Some BoryptGrab variants download and execute TunnesshClient from the attacker’s server. However, not all BoryptGrab variants have this functionality, and in some attack chains, TunnesshClient is delivered by other downloaders instead.

Figure 27. Traffic from BoryptGrab variant to download TunnesshClient

TunnesshClient is a PyInstaller executable that conducts traffic forwarding and executes the attacker’s commands through a reverse SSH tunnel. It contains Russian text in its comments and log messages, indicating possible origins. The TunnesshClient sample used in this blog for demonstration (SHA256: 576692df4bf1c7d8927d3a183f5219a81c3bff3dd22971691f8af6889f80c5a0) connects to the attacker’s server at 193.143.1[.]104.

TunnesshClient first retrieves SSH credentials by sending HTTP POST requests (/api/get_challenge, /api/get_credentials) to hxxp://193.143.1[.]104:5000. It solves the attacker’s challenge by computing a SHA256 hash to retrieve an encrypted response. It then decrypts the response to obtain SSH credentials in JSON format.

Figure 28. TunnesshClient sends HTTP POST requests to retrieves SSH credentials from the attacker

TunnesshClient then sends system information to the attacker at “/api/get_port”. It retrieves a port number for remote port forwarding from the attacker’s response, then creates a reverse SSH tunnel using its previously retrieved SSH credentials and traffic-forwarding port number to communicate with the attacker’s server.

TunnesshClient can execute commands provided by the attacker. It receives an integer value from the attacker’s connection, which represents the operation type of the command to execute.

Figure 29. Operation types parsed by TunnesshClient variant

The following table lists the operation types supported by the TunnesshClient sample and their corresponding commands:

Operation type	Description
5	Act as SOCKS5 proxy
83	Execute shell command
76	List specified files
68	Send victim’s file to attacker in base64 encoding
85	Save Base64-encoded file content from attacker to victim’s machine
70	Search for file with specified query
90	Send victim’s folder to the attacker in a Base64-encoded ZIP archive

^{Table 1. Operation types supported by the TunnesshClient sample and their corresponding commands}

Another variant of TunnesshClient (SHA256: 0434437a073a3f3a49e84d5ecb20c99dd551bacc32bf100fbb8cf67a50642181) sets up a local SSH server on the victim machine. It sends the username and password for local SSH connection to the attacker through an HTTP POST request (hxxp://45.93.20[.]195:5000).

When the operation type is 83, this TunnesshClient variant forwards the attacker’s traffic to the local SSH server. This variant only accepts operation type 5 and 83, and does not execute the attacker’s commands as the previous variant does.

Operation type	Description
5	Act as SOCKS5 proxy
83 or other values	Local SSH forwarding

The BoryptGrab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories. Across its many variants, the stealer demonstrates extensive data‑harvesting capabilities, with its ability to dynamically stage payloads, bypass analysis through anti‑VM and anti‑debug checks and offload sensitive operations to encrypted payloads showing a level of engineering sophistication that continues to increase.

The campaign’s reliance on SEO‑optimized GitHub repositories and fake “free tool” download sites underscores an important trend: threat actors increasingly exploit trust in legitimate developer platforms and open‑source ecosystems. With dozens of repositories, shifting payloads, and numerous build names observed in the wild, the operation’s scale indicates an active and ongoing threat.

TrendAI Vision One™ is the industry-leading AI cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection.

TrendAI Vision One™ Threat Intelligence Hub provides the latest insights on emerging threats and threat actors, exclusive strategic reports from TrendAI™ Research, and TrendAI Vision One™ Threat Intelligence Feed in the TrendAI Vision One™ platform.

Emerging Threats: From Fake GitHub Download Repositories to Reverse SSH Backdoors: Examining the BoryptGrab Stealer

From Fake GitHub Download Repositories to Reverse SSH Backdoors: Examining the BoryptGrab Stealer

TrendAI Vision One™ customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.    

Detection of BORYPTGRAB samples

malName: *BORYPTGRAB* AND eventName: MALWARE_DETECTION AND LogType: detection

More hunting queries are available for TrendAI Vision One™ with Threat Intelligence Hub entitlement enabled. 

The indicators of compromise for this entry can be found here.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts