Recently discovered by Trend Micro Research, BoryptGrab is a new stealer malware targeting Windows users through deceptive GitHub pages. This campaign employs fake software tools that are optimized for search engines to appear legitimate in search results. Once victims download and execute the ZIP files from these repositories, the malware initiates an infection chain that includes downloading a reverse SSH backdoor known as TunnesshClient. The attack leverages base64-encoded URLs hidden within the home.html page, which fetches and decodes them into actionable payloads. Different builds of BoryptGrab have been observed, with some containing Russian-language comments and log messages, suggesting possible Russian origins for the threat actor.
New BoryptGrab Stealer Targets Windows Users via Deceptive GitHub Pages
Summary: Trend Micro Research has identified a new stealer malware called BoryptGrab, which targets Windows users via fake SEO-optimized GitHub repositories and deceptive download pages.
Key facts
- BoryptGrab is a new stealer malware targeting Windows users via fake SEO-optimized GitHub repositories.
- Malware uses deceptive download pages to distribute itself through publicly available GitHub repositories.
- Delivers reverse SSH backdoor called TunnesshClient during the infection chain.
- Different builds of BoryptGrab have been observed with Russian-language comments and log messages.
- Campaign leverages base64-encoded URLs hidden within home.html page.
Why it matters
The widespread use of deceptive GitHub pages poses a significant cybersecurity risk to individual users and organizations that rely on open-source communities. The integration of a reverse SSH backdoor enables attackers to maintain long-term control over infected systems, potentially leading to data breaches or other malicious activities.
@trendaisecurity
Embedded content for: New BoryptGrab Stealer Targets Windows Users via Deceptive GitHub Pages