Fake Arctic-Wolf-Security/.github README with concealed “OFFICIAL PAGE” link.
At a Glance
| Malware family | BoryptGrab-lineage in-memory infostealer |
| Threat actor | Unattributed; financially motivated, likely Russian-speaking |
| Targets | Opportunistic Windows users across sectors |
| Delivery vector | Brand-impersonation GitHub repositories and fake download pages |
| Key capabilities | 11 theft modules: browsers, wallets, messengers, credentials |
| Source | Arctic Wolf Labs |
TL;DR
Arctic Wolf counted 292 fake GitHub repositories impersonating software and security brands since 26 June 2026. Each one funnels visitors to a bogus “secure download” page that serves an infostealer. One repository even impersonated Arctic Wolf itself, and GitHub removed it after the company reported the abuse.
Why This Campaign Works
No exploit is involved here. As Arctic Wolf’s research team puts it, the campaign “relies on trust abuse, and is not a software vulnerability” in any impersonated brand. Victims arrive through search engines while hunting for free tools. The fake GitHub repositories span security tooling, fintech, crypto wallets, developer utilities, secure email, and gaming cheats. Consequently, victim selection depends on what someone searches for, not on their industry.
Delivery
The actor registers throwaway GitHub accounts and organizations that mimic real vendors. Each publishes a README with copied marketing text and a hidden download link. That link routes through a GitHub Pages redirector to an actor-controlled distribution domain. The final page shows a green download button dressed with spoofed trust badges like “VirusTotal Approved.”
Arctic Wolf found roughly 78 active redirectors and about 20 distribution domains. Notably, one templated HTML page serves every brand. Its script reads the referring domain from the URL, then writes the brand name into the heading at render time. That trick explains how one codebase produces hundreds of convincing lures.
Infection Chain
The download server rebuilds the ZIP archive roughly every 60 seconds. Each build changes the filename and the executable name, so no two victims get an identical sample. The archive weighs around 136 MB, but most of that is padding. Filler DLLs with random names simply pad the size so the download looks legitimate.
Only two files matter. The first is a legitimate, signed WinGUP updater renamed to match the impersonated product. The second is a trojanized libcurl.dll. When the victim runs the executable, the signed binary side-loads the malicious DLL. Execution then passes to attacker code inside a trusted process.
The loader decodes an embedded blob, rebuilds it into an executable image, and runs it entirely in memory using COM-based staging. That approach sidesteps memory scanners watching for common allocation patterns. Nothing touches disk at this stage.
What the Stealer Takes
Arctic Wolf describes the payload as “a pure smash-and-grab in-memory infostealer.” Eleven theft modules run in sequence. The first fingerprints the host and looks up the victim’s country through public geolocation services. Curiously, it also hashes the desktop wallpaper, which helps de-duplicate victims and spot sandboxes.
Later modules hit browser credentials and cookies across 19 or more browsers. The Chrome App-Bound Encryption bypass injects a small DLL into the browser process, then coaxes the elevation service into handing over the master key. Other modules copy Telegram session data from every attached drive, pull Discord tokens across three release channels, harvest Meta Max credentials, and scan Steam helper process memory for live session tokens. A 41-entry wallet path table covers roughly 32 wallet brands. The grabber also sweeps Desktop and Documents for files named after passwords, seeds, and recovery data.
Exfiltration and Footprint
The stealer zips everything and pushes it to a single hardcoded C2 over a raw chunked POST. That server sits on a Russian bulletproof hosting provider repeatedly tied to malware operations. Meanwhile, the implant sets no persistence and runs no anti-analysis checks. It also fails to clean up, leaving its staging folder and operational logs behind on disk.
Attribution
Arctic Wolf assesses with high confidence that the stealer shares the BoryptGrab codebase, a family Trend Micro first named. Binary comparison matched 1,638 functions, alongside an identical compiler toolchain and a distinctive misspelled staging path. However, the operational wrapper diverges in five ways, including payload staging and transport. Therefore the company rates same-actor attribution as only an even chance, at low confidence. Datadog Security Labs documented a parallel macOS impersonation campaign.
Defense and Detection
Block the reported C2 infrastructure and hunt for the signed WinGUP updater side-loading an unsigned libcurl.dll. That pairing is the clearest signal. Additionally, watch for leftover staging folders and browser decryption logs, since this build never removes them. Verify vendor GitHub pages against official links before downloading. Finally, treat brand-impersonation repositories as an active delivery channel, not a nuisance.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.