BoryptGrab

BoryptGrab is an information stealer targeting Windows users. Trend Micro reported it was distributed through a large campaign abusing more than 100 public GitHub repositories, with ZIP archives masquerading as legitimate software tools, utilities, and game cheats. The operation used SEO-stuffed GitHub README files and deceptive GitHub Pages-style download sites, including a Voicemod Pro lure, to drive victims through redirect chains to fake download pages that generated malicious ZIP archives. Proton66 OOO infrastructure was also linked to a BoryptGrab infostealer operation abusing over 100 public GitHub repositories through SEO manipulation.

The malware is described as a C/C++ stealer that performs anti-analysis checks, including querying registry entries, checking VM-related files, comparing running process names against a predefined list, and attempting to execute with elevated privileges. Infection chains observed in the reporting include DLL sideloading via a malicious libcurl.dll, VBS downloaders that decode hidden PowerShell commands, and .NET loaders. Launchers can download BoryptGrab and additional payloads, pass build names such as Shrek, Leon, and CryptoByte via a "-b" argument, and establish persistence through scheduled tasks. Some related delivery chains also used HeaconLoad, a Golang downloader that maintains persistence via registry entries and scheduled tasks and downloads additional bundles.

BoryptGrab collects extensive data from infected systems. Reported targets include browser data from Chrome, Edge, Firefox, Opera, Brave, Vivaldi, and Yandex; cryptocurrency wallet data from Exodus, Electrum, Ledger Live, Atomic, Binance, Wasabi, and Trezor; system details; screenshots; Telegram files; common files with specific extensions from common directories; and, in newer variants, Discord tokens. The malware uses techniques from public GitHub tools to bypass Chrome App-Bound Encryption and decrypt stored browser credentials. It supports command-line arguments including "--output-path"/"-o" and "--build-name"; if no output path is provided, it creates a staging directory name based on the current time, public IP address, and country code. After collection, it compresses stolen data and uploads the archive to attacker-controlled infrastructure.

Associated payloads observed alongside BoryptGrab include Vidar variants, HeaconLoad, and TunnesshClient, a PyInstaller backdoor that creates a reverse SSH tunnel enabling remote command execution, file movement, and proxying through the infected host. Reporting cited Russian-language comments and infrastructure artifacts as suggesting the operators may be of Russian origin.