Fake GitHub Repositories Unleash BoryptGrab Stealer and TunnesshClient Backdoor
Ddos 
Security researchers from TrendMicro have identified a sophisticated new threat actor utilizing SEO-optimized GitHub repositories to distribute a potent information stealer dubbed BoryptGrab. By masquerading as “free tools” and popular software utilities, the campaign preys on the trust users place in legitimate developer platforms to harvest a vast array of personal and financial data.
The operation’s scale is significant, characterized by dozens of repositories and a rapidly evolving arsenal of malware variants.
The infection chain begins when a user searches for free versions of software or specialized digital tools. Attackers use “SEO keywords to attract victims” to public GitHub repositories that purport to offer these tools for free.
Instead of the promised utility, the download provides a ZIP file that initiates the attack. As researchers noted, “The BoryptGrab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories”.
BoryptGrab is designed for comprehensive theft. Once it gains a foothold on a Windows system, it begins a systematic sweep of the victim’s digital life.
- Browser Data: Harvesting saved credentials, auto-fill information, and history.
- Cryptocurrency Wallets: Locating and exfiltrating wallet files and keys.
- Communication Platforms: Extracting Telegram session information and Discord tokens.
- System Surveillance: Capturing screenshots and collecting common files from the hard drive.
Beyond simple data theft, the campaign has been observed delivering a new, custom-built backdoor called TunnesshClient. This PyInstaller-based executable establishes a reverse SSH tunnel, allowing the attacker to communicate directly with the compromised host.
“TunnesshClient is a new backdoor delivered during the attack chain,” the report explains. “It is a Pyinstaller executable that establishes a reverse SSH tunnel to communicate with the attacker and acts as a SOCKS5 proxy”. This capability allows attackers to tunnel their own traffic through the victim’s network, effectively using the compromised machine as a staging point for further attacks.
Analysis of the malware’s internal code and infrastructure suggests a potential origin for the operation. Researchers identified “malware code from different stages of the attack contains Russian-language comments and/or log messages”. Furthermore, the IP addresses used to manage the campaign are physically located in Russia, reinforcing the link to Russian-speaking threat actors.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
