ACCORDING to Trend Micro, the BoryptGrab information stealer is being spread through more than 100 GitHub repositories, with the campaign distributing ZIP archives that pose as software tools, game cheats, or utilities. The malware is designed to harvest data from browsers and cryptocurrency wallets, collect system details, and grab common files, with some variants also deploying a PyInstaller backdoor called TunnesshClient that creates a reverse SSH tunnel to communicate with attackers.
Infected pages mimic legitimate software downloads, including a Voicemod Pro download page, and README files are packed with SEO keywords to boost search engine rankings for malicious repositories. The operation also uses a VBS downloader to hide commands inside integer arrays, decodes PowerShell instructions, and can add Microsoft Defender exclusions to evade detection, after which the launcher retrieves the BoryptGrab payload and other tools from attacker infrastructure.
Russian-language comments and infrastructure in the samples suggest the operators may have a Russian background, and the campaign culminates in compressing stolen data and uploading the archive to the attacker’s server.