Hundreds of Fake GitHub Repositories Push BoryptGrab Infostealer Malware
A sophisticated campaign leveraging nearly 300 fake **GitHub** repositories has been uncovered, impersonating legitimate software projects to distribute a variant of the **BoryptGrab** infostealer malware. This operation targets a wide array of sensitive user data, from cryptocurrency wallets to messaging app credentials, highlighting the growing threat of supply chain impersonation.

Cybersecurity firm **Arctic Wolf** has identified a widespread malicious campaign where a threat actor published hundreds of fake **GitHub** repositories. These repositories masquerade as legitimate software and security projects, luring users into downloading infostealer malware.
### Deceptive Tactics and Broad Reach
The campaign strategically draws traffic from search results for popular applications, including security products, cryptocurrency services, financial tools, developer utilities, secure email providers, **macOS** utilities, and gaming software.
**Arctic Wolf** discovered the activity after one of its own products was impersonated, beginning on June 26. In total, researchers uncovered 292 fake repositories, each featuring a **README** file with a malicious download link.

### Sophisticated Landing Pages
Visitors are redirected to highly convincing landing pages designed to inspire trust. These pages include elements like a "Download Secure Content" button and spoofed trust badges.
Analysis of the delivery page code revealed a single templated **HTML/JS** artifact reused across all impersonated brands. **Arctic Wolf** noted that the client-side script parses the URL path to dynamically display branding, enhancing the deception.

### Malware Delivery and Execution
The malicious landing page delivers a large **ZIP** archive, with its name and payload changing approximately every minute. Inside the archive, users find a trojanized **libcurl.dll** and a legitimate, signed **WinGUP** updater, renamed to match the impersonated product.
When executed, the **gup.exe** side-loads **libcurl.dll**, which then decodes and reflectively executes an embedded infostealer entirely in memory.
### BoryptGrab Infostealer Capabilities
The information stealer is identified as a variant of the **BoryptGrab** family, designed to collect extensive data:
* Passwords, cookies, payment information, and other data from 19 web browsers.
* Data from 32 cryptocurrency wallet brands.
* **Telegram** sessions, **Discord** tokens, and **Steam** session tokens.
* Credentials for **Meta**'s **Max** messaging application.
* **Windows Credential Manager** contents.
* Files from Desktop and Documents hinting at passwords, recovery phrases, wallets, or backups.
* Screenshots, system details, and installed-software lists.
Notably, this **BoryptGrab** variant possesses a previously undocumented ability to bypass **Chrome**'s App-Bound Encryption through direct code injection into the browser process. Stolen data is compressed and sent to a Russia-based command-and-control (**C2**) server.

### Operational Footprint and Attribution
The malware does not establish persistence on the host, focusing on maximizing data collection in a single execution. It also lacks anti-analysis layers, and temporary directories used for data staging are not wiped, leaving forensic evidence.
While **GitHub** has removed many of the malicious repositories, several dozen **GitHub Pages** redirectors remained active at the time of **Arctic Wolf**'s report. Researchers assess the operator is likely Russian-speaking and financially motivated but could not attribute the campaign to a specific threat actor.
**Arctic Wolf** advises caution when interacting with unofficial **GitHub** pages and warns against trusting "free downloads" of premium software. They have provided a **Yara** rule and Indicators of Compromise (**IoCs**) for detecting this activity.