SECURITYWEEK reports that a new information stealer called BoryptGrab has been distributed through a network of more than 100 GitHub repositories, with Trend Micro noting the operation since late 2025. The malware can harvest browser and cryptocurrency wallet data, along with system information and user files, and some iterations drop a backdoor named TunnesshClient that uses an SSH tunnel for command-and-control.
Trend Micro’s investigation found multiple ZIP archives masquerading as free software tools, distributed via the GitHub repositories, with some variants using DLL sideloading and others employing VBS scripts to fetch the launcher’s executable. BoryptGrab is a C/C++ information stealer that can collect data from nearly a dozen browsers, siphon data from desktop cryptocurrency wallets and browser extensions, take screenshots, and exfiltrate Telegram files and Discord tokens in newer iterations.
The backdoor TunnesshClient can execute commands via the attacker through the reverse SSH tunnel and function as a SOCKS5 proxy. Written by Ionuț Arghire, the piece highlights an increasingly sophisticated threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories. According to Trend Micro, the campaign demonstrates evolving attacker tradecraft.