New BoryptGrab Stealer Targets Windows Users via Deceptive GitHub Pages

Summary: Trend Micro Research reports on the BoryptGrab campaign, which uses fake SEO-optimized GitHub repositories to distribute a data-stealing malware family targeting Windows users.

The BoryptGrab campaign employs fake SEO-optimized GitHub repositories and deceptive download pages to distribute a data-stealing malware family targeting Windows users. This sophisticated tactic aims to trick unsuspecting individuals into downloading malicious software disguised as legitimate tools or utilities.

BoryptGrab delivers multiple payloads, including a reverse SSH backdoor, which allows the threat actors to maintain persistent access to compromised systems. These deceptive repositories often appear legitimate and are optimized for search engines, making them harder for users to identify as fraudulent.

Key facts

The campaign uses fake SEO-optimized GitHub repositories and deceptive download pages.
It targets Windows users with a data-stealing malware family.
Multiple payloads, including a reverse SSH backdoor, are delivered to compromised systems.

Why it matters

This campaign poses a significant cybersecurity risk by exploiting common trust in open-source platforms like GitHub. It highlights the importance of user vigilance and the need for robust security measures to protect against such threats.

Structured details

Industry: cybersecurity
Source type: media
Claim status: confirmed
Verification: claimed_by_source
Entities: BoryptGrab, Trend Micro Research

Source: https://www.trendmicro.com/en_us/research.html/en_us/research/26/c/boryptgrab-stealer-targets-users-via-deceptive-github-pages.html

Published on 3/4/2026, 12:00:00 AM