A new information stealer has been distributed through a network of more than 100 GitHub repositories, Trend Micro reports.
Dubbed BoryptGrab, the malware can harvest browser and cryptocurrency wallet data, along with system information and user files.
Additionally, certain iterations of the stealer can drop a backdoor dubbed TunnesshClient, which uses an SSH tunnel for command-and-control (C&C) communication.
Trend Micro’s investigation into BoryptGrab revealed the existence of multiple ZIP archives masquerading as free software tools that have been distributed since late 2025 through the GitHub repositories.
All identified binaries contained similar Russian-language comments and URL-fetching logic, although the malware’s execution logic was not the same for all ZIP archives.
In some cases, DLL sideloading was used for execution, leveraging an executable within the archive, while in others, VBS Script was used to fetch the launcher’s executable. A .NET executable, a Golang downloader named HeaconLoad, and other execution paths were also observed.
BoryptGrab is a C/C++ information stealer that includes VM and anti-analysis checks and attempts to execute with elevated privileges.
It can harvest information from close to a dozen browsers, uses Chrome App Bound Encryption techniques from two GitHub repositories, and downloads a Chromium helper to collect information from the targeted browsers.
It can also collect data from desktop cryptocurrency wallet applications and browser extensions, harvest system information, take screenshots, and collect files with specific extensions.
Additionally, Trend Micro discovered that the stealer can obtain Telegram files, browser passwords, and, in newer iterations, Discord tokens. All the harvested information is archived and sent to the attacker’s C&C server.
Some of the identified variants also deploy the TunnesshClient backdoor, which in other cases is dropped using different downloaders.
TunnesshClient can execute commands provided by the attacker via a reverse SSH tunnel. Based on these, the malware acts as a SOCKS5 proxy, executes shell commands, lists files, searches for files, uploads and downloads files, or sends entire folders to the attacker’s server.
“The BoryptGrab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories,” Trend Micro notes, adding that the operation shows an increasing level of engineering sophistication.
Related: ‘Arkanix Stealer’ Malware Disappears Shortly After Debut
Related: ‘SolyxImmortal’ Information Stealer Emerges
Related: Lumma Stealer Activity Drops After Doxxing
Related: Hundreds Targeted in New Atomic macOS Stealer Campaign
