VYPR
researchPublished Jul 14, 2026· 1 source

Nearly 300 GitHub Repos Impersonated Legitimate Software to Distribute Infostealer Malware

A threat actor created hundreds of fake GitHub repositories mimicking legitimate software and security projects to distribute infostealer malware, targeting developers and users.

A sophisticated threat actor has established a campaign involving nearly 300 GitHub repositories designed to impersonate legitimate software and security projects. These repositories were strategically crafted to lure unsuspecting developers and users into downloading malicious code, ultimately distributing infostealer malware. The campaign, identified by cybersecurity firm Arctic Wolf, began on June 26 and leveraged search engine traffic for popular security products, cryptocurrency services, financial tools, and developer utilities to attract victims.

Each of the 292 discovered fake repositories featured a README file containing a download link. This link directed users to a malicious landing page that employed convincing branding and language, including "Download Secure Content" buttons and spoofed trust badges, to foster a sense of legitimacy. The landing page's design was templated, with a client-side script parsing the URL to identify the referring repository and the impersonated brand, which was then used to customize the page's appearance.

The primary payload delivered by these fake repositories was a large ZIP archive. The contents of this archive, including the malware's name and specific components, were altered approximately every minute. The archive contained a trojanized libcurl.dll file and a legitimate, signed Windows utility called WinGUP updater. When the gup.exe executable was run, it would side-load the malicious libcurl.dll, which then decoded and executed an embedded infostealer entirely in memory, a technique known as reflective loading.

The infostealer, identified as a variant of the BoryptGrab family, was designed to exfiltrate a wide range of sensitive data. This included credentials from 19 different web browsers, data from 32 cryptocurrency wallet brands, session tokens from messaging and social media applications like Telegram, Discord, and Steam, and credentials stored in Windows Credential Manager. It also targeted files with password-related names or extensions from desktop and documents folders, and collected system details and screenshots.

Notably, this BoryptGrab variant demonstrated a previously undocumented capability to bypass Chrome's App-Bound Encryption by injecting code directly into the browser process. The stolen data was compressed and sent to a command-and-control (C2) server located in Russia. The malware was designed for rapid, single-execution data collection, without establishing persistence on the host system. Researchers also observed a lack of anti-analysis measures and that the temporary directory used for staging stolen data was not wiped, leaving forensic evidence.

While GitHub has since removed a significant portion of the malicious repositories, some GitHub Pages redirectors remained active at the time of the report. The threat actor behind the campaign could not be definitively identified, but analysis suggests they are likely Russian-speaking and financially motivated. The success of this operation hinges on users' willingness to download "free" premium software from unofficial sources, highlighting the persistent threat of supply chain attacks originating from code repositories.

Arctic Wolf has provided a Yara rule and indicators of compromise (IoCs) to help organizations detect and defend against this ongoing threat. The campaign underscores the critical need for vigilance when sourcing software and dependencies, especially from platforms like GitHub, where malicious actors can exploit trust to distribute malware.

Synthesized by Vypr AI