BoryptGrab: You Googled It. That Was Enough.

When you search for a free productivity tool, a game performance booster, or a media watermark remover and click the first GitHub result, you probably feel reasonably safe. GitHub is Microsoft-owned, widely trusted in the developer community, and associated with legitimate open-source software. That trust is exactly what the actors behind BoryptGrab have been systematically exploiting since at least April 2025.

Trend Micro researchers publicly disclosed the campaign in early March 2026 after tracing a cluster of suspicious ZIP files back to a network of fake GitHub repositories. What they found was not a simple dropper operation. BoryptGrab is a multi-stage, multi-payload ecosystem with variant build names, an apparent Malware-as-a-Service (MaaS) structure, anti-analysis capabilities, and infrastructure pointing toward a Russian-speaking threat actor. It is actively evolving, and it is not going away on its own.

The SEO Poisoning Play

The initial infection vector is not a phishing email, not a drive-by exploit, and not a compromised software update. It is a Google search. The campaign relies entirely on victims finding the malicious repositories organically, which is what makes it both scalable and particularly difficult to contain.

The attackers created over 100 public GitHub repositories, each advertising something that a real user would plausibly search for: tools like "Voicemod Pro download," "Filmora watermark remover," "CS2 skin changer," "Valorant FPS boost," and similar utilities. README files within these repositories were packed with SEO keywords engineered to push the repositories toward the top of search engine results. In documented cases, the malicious repository appeared just below the official product listing in Google Search — close enough that many users would not notice the difference.

Trend Micro confirmed that README files in these repositories were packed with SEO keywords engineered specifically to push them toward the top of search engine rankings — borrowing GitHub's domain authority to surface malicious pages ahead of legitimate software. — Trend Micro Threat Research, March 2026

This technique is known as SEO poisoning, and while it has been used in malvertising and fake software campaigns before, applying it to GitHub repositories at this scale represents a meaningful escalation. GitHub's domain authority is high; its pages rank well. The attackers are borrowing that authority for free.

Who Is Actually Getting Infected

The campaign's targeting of cracked software and game cheats is often framed as a self-inflicted problem — a tax on bad behavior. That framing misses who is realistically in the victim pool. Free productivity tools, watermark removers, and FPS boosters for popular games are searched for by students, content creators, video editors, and gamers who have no particular reason to understand the risk of downloading a GitHub ZIP. These are not technically naive people searching for things they know are wrong. They are people doing what millions of users do every day: searching for software that solves a specific problem, clicking a plausible-looking result, and trusting that a Microsoft-owned platform is a safe place to download from.

The tools being impersonated also signal something about the victim's likely machine usage. Someone searching for a Filmora watermark remover is probably editing video. Someone looking for a Voicemod alternative is probably on calls or streaming. Someone searching for a CS2 performance booster is likely running a gaming machine that may also serve as their general-purpose computer. None of these profiles suggest a high security awareness baseline, but none of them suggest unusual recklessness either. The attack works precisely because it does not require the victim to do anything unreasonable.

context

This is not the first time GitHub has been abused as a delivery platform in 2025. Microsoft Threat Intelligence separately documented a malvertising campaign in March 2025 that redirected nearly one million devices globally through GitHub and two other platforms as part of its delivery chain. BoryptGrab represents a distinct and more sustained operation.

The Infection Chain: Step by Step

Once a victim clicks a link in the malicious README, the redirect sequence begins. The repository's index.htm page contains Russian-language HTML comments and a base64 or AES-encoded URL that automatically forwards the browser to a secondary home.html page. That page decodes a hardcoded URL and sends the user to a dynamically generated fake GitHub download page — one that mimics the visual structure of a legitimate GitHub release page closely enough to fool an inattentive visitor.

That final page does not serve a pre-built file. It generates the malicious ZIP archive on the fly, tailored to the victim's visit. This dynamic generation means static hash-based detection has limited effectiveness here. The downloaded ZIP file then initiates the infection through one of several branching paths depending on the variant.

# Simplified infection chain
User searches for "voicemod pro free download"
  -> Malicious GitHub repo appears near top of results
  -> README link -> index.htm (base64/AES redirect)
  -> home.html (decodes URL, forwards browser)
  -> Fake GitHub download page (dynamically generates ZIP)
  -> ZIP extracted by victim
  -> Executable side-loads malicious libcurl.dll
  -> Encrypted launcher payload decrypted
  -> BoryptGrab stealer + optional secondary payloads deployed

In one documented execution path, the ZIP contains a legitimate-looking executable that side-loads a malicious libcurl.dll. That DLL decrypts a launcher payload embedded in an encrypted resource. The launcher then reaches out to attacker-controlled infrastructure to download BoryptGrab itself. In other variants, a VBS downloader script handles the initial execution, using integer arrays to obfuscate strings, a function named EnsureElevatedPrivileges for privilege escalation, and encoded PowerShell commands that ultimately download and execute the payload. Notably, some VBS variants also instruct Windows Defender to exclude the entire C:\ drive from scanning.

warning

Some variants of the VBS downloader instruct Windows Defender to stop scanning the C:\ drive entirely before delivering the final payload. If your endpoint protection is Windows Defender and it has not been hardened against tampering, this step removes a significant layer of protection before the stealer even runs.

Why Standard Detection Struggles Here

The multi-language architecture of the infection chain is not accidental. By moving through VBScript, C++, .NET, and Golang across successive stages, the campaign effectively resets the behavioral detection window that endpoint and EDR solutions rely on at each handoff. A detection rule tuned to flag suspicious VBS execution may not also flag the Golang binary that runs two stages later. A sandbox that evaluates the initial executable may time out before the encrypted launcher payload is decrypted and reaches out to pull down BoryptGrab itself. Each language transition forces defenders to connect behavioral dots across a chain that was specifically engineered to look like separate, unrelated events. Combined with the VM-detection and process-blocklist checks that BoryptGrab runs before executing on a live machine, this campaign was built with automated analysis infrastructure squarely in mind — and built to frustrate it.

Secondary Payloads: Beyond the Stealer

BoryptGrab is the central payload, but the campaign's infrastructure can deliver additional components depending on which variant chain is triggered. Researchers identified three noteworthy additions: a Vidar infostealer variant, a Golang-based downloader named HeaconLoad, and a PyInstaller-packed backdoor called TunnesshClient.

The Vidar inclusion is worth pausing on. Vidar is not a new or obscure tool — it is one of the longest-running commercial infostealers in the Russian-language cybercrime ecosystem, active since at least 2018 and widely available as a subscription service on underground forums. Its inclusion alongside BoryptGrab, which is newer and purpose-built for this campaign, suggests the operators are hedging their payload delivery: if BoryptGrab fails or is detected on a given machine, an established, battle-tested stealer with different behavioral signatures serves as a fallback. The Vidar variants delivered in this campaign are obfuscated with XOR-encrypted strings, opaque predicates, and dynamic API resolution — additional layering designed to frustrate the automated analysis tools that would recognize standard Vidar signatures. This is not commodity malware lazily appended to the chain. It is a deliberately hardened fallback.

HeaconLoad deserves specific attention as a persistence mechanism. Once installed, it achieves persistence by adding a Run-key registry entry and creating a scheduled task, ensuring it survives reboots. It then beacons to the attacker via HTTP POST requests on port 8088 at a /healthcheck endpoint, sending collected system information and a hardcoded build tag. The operator's response includes fields named bundle_available and bundle_hash — a design that allows the attacker to push new payloads to the compromised machine at any time after infection, with hash verification to confirm download integrity. This is not a passive persistence mechanism; it is an active re-supply channel.

TunnesshClient is the most significant of these. It is not a simple persistence mechanism. Upon execution, it requests a challenge and credentials over HTTP, derives SSH keys, and establishes a reverse SSH tunnel to attacker-controlled servers. Through this tunnel, the operators can execute arbitrary shell commands, browse and exfiltrate files, upload additional tools, and route their own traffic through the victim's machine using it as a SOCKS5 proxy. A second variant instead spins up a local SSH server on the victim host and forwards the credentials back to the operators, who then pivot through the compromised system directly.

Trend Micro's analysis describes TunnesshClient as establishing reverse port forwarding over SSH after completing an HTTP-based challenge-response handshake — enabling operators to run commands, browse and exfiltrate files, upload additional tools, and route their own traffic through the victim machine as a SOCKS5 proxy. — Trend Micro / GBHackers analysis, March 2026

This transforms what could have been a simple data theft incident into a full remote access compromise. The victim's machine becomes infrastructure for the attacker, potentially for weeks or months after the initial infection.

What BoryptGrab Actually Steals

BoryptGrab is written in C/C++ and is engineered to harvest data across a wide surface area. It begins by checking for signs of a virtual machine, scanning running processes against a predefined blocklist, and attempting privilege escalation before proceeding. This anti-analysis behavior reduces the signal that sandbox environments would otherwise produce.

Once running on a real machine, the stealer targets credentials and cookies from nine browsers: Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Brave, Vivaldi, Chromium, CentBrowser, and Yandex Browser. Critically, it uses techniques sourced from publicly available GitHub tools — specifically research repositories by researchers 00nx and xaitax — designed to bypass Chrome's App-Bound Encryption, a defense Google introduced in 2024 to make cookie theft harder on Windows. It also downloads a Chromium helper binary (x32_chromium.exe) from attacker infrastructure to assist with decrypting data from hardened browser configurations.

The cryptocurrency targeting is extensive. BoryptGrab scans for over 30 desktop wallet applications and browser-based extensions, including Exodus, Electrum, Ledger Live, Atomic, Binance, Wasabi, Trezor Suite, Coinbase Wallet, and Bitcoin Core. Beyond installed wallets, it also targets browser extension-based wallets. The stealer then runs a "FileGrabber" module that collects files with high-value extensions from common user directories, extracts Telegram session files, and in newer builds, harvests Discord tokens — enabling account takeover across messaging platforms in addition to financial theft.

When no output path is specified by the operator, BoryptGrab constructs a default directory name using the current timestamp, the victim's public IP address, and their country code. This tagging system feeds directly into the campaign's affiliate-style tracking structure.

critical

BoryptGrab actively bypasses Chrome's App-Bound Encryption using publicly available research tools. Storing browser credentials in Chrome is no longer a reliable safeguard against this class of stealer. Hardware-backed password managers that do not rely on browser storage are significantly harder to compromise via this method.

The Screenshot Problem Nobody Is Talking About

One capability that tends to get buried in the technical coverage of BoryptGrab deserves its own treatment: the stealer captures a screenshot of the victim's desktop at the time of execution and bundles it with the exfiltrated data package. This is not a trivial addition. It gives the operator a timestamped visual record of whatever the victim had on their screen at the moment the malware ran.

The implications reach beyond the obvious. A screenshot taken during a work session can expose open documents, draft emails, VPN client windows, internal application interfaces, and any credentials or session tokens that happen to be visible. For someone who uses a personal machine for remote work — a population that overlaps heavily with the "downloaded a free productivity tool" demographic this campaign targets — a single screenshot can reveal information about an employer's internal systems that the victim never intended to hand over. The FileGrabber module then compounds this by collecting VPN configuration files and private key material from common directories. What begins as a personal credential theft incident can carry organizational consequences that the victim may not be in a position to fully understand or disclose.

Screenshots are also operationally valuable for the attacker's affiliate structure. A screenshot confirming that the victim machine belongs to a corporate user, runs enterprise software, or shows evidence of high-value accounts gives the central operator information to decide whether to prioritize that victim for TunnesshClient deployment. Data theft may be the baseline. Targeted remote access is the upgrade, and screenshots inform that triage decision.

Build Names, MaaS Structure, and Scale

One detail in Trend Micro's analysis stands out as an indicator of operational sophistication: the build name system. The BoryptGrab binary accepts a build name argument (passed via -b or --build-name) that is written into the harvested data logs. Researchers found build names including CryptoByte, Yaropolk, Kassay, Leon, NeoWho, Shrek, Sonic, Sonic_new1, and Sonic_new2. SOCFortress analysts also noted cruder internal identifiers present in recovered logs alongside the professionalized tags — a mix that reflects both calculated affiliate branding and the culture of the underground marketplace where this infrastructure is being sold or rented.

This is not random. These build names allow a central operator to attribute infection volume to specific sub-affiliates or distribution campaigns. It is the same model used by ransomware-as-a-service groups to track affiliate performance. The diversity of names observed in the wild strongly suggests that multiple parties are operating under a shared backend infrastructure, each running their own "marketing funnel" of fake repositories and download pages while reporting results back to the core operators.

Trend Micro's analysis characterizes BoryptGrab as an evolving threat ecosystem with dozens of repositories, shifting payloads, and numerous build names — indicators of an active, ongoing operation whose engineering sophistication continues to increase. — Trend Micro, March 2026

The earliest repository account commit Trend Micro identified dates to April 2025. The earliest ZIP sample is from late 2025. That is a minimum of ten months of active, sustained operation before the campaign was publicly disclosed — and continued operation is expected, as the infrastructure and affiliate model support ongoing deployment regardless of any single repository being removed.

Attribution: Russian Fingerprints, Unconfirmed Identity

The evidence pointing toward a Russian-speaking threat actor is substantial but stops short of formal attribution. Russian-language comments appear in the index.htm redirect pages, in the malware source code at multiple stages of the attack chain, and in internal log messages. The command-and-control infrastructure uses IP addresses physically located in Russia. Trend Micro noted the consistency of these markers across many components of the campaign but declined to assign the activity to a named group.

This caution is appropriate. False flags in source code are not unusual, and infrastructure can be rented across borders. What the evidence establishes with confidence is a Russian-language operational context, an organized multi-tier structure, and a sustained campaign that has been running for the better part of a year. Whether that maps to a known state-sponsored group, a financially motivated criminal organization, or a loosely organized affiliate network remains an open question.

GitHub's Position and the Platform Responsibility Problem

GitHub's Acceptable Use Policy prohibits using the platform to distribute malicious executables or support unlawful attacks. The platform also permits dual-use security research content and says it may temporarily restrict specific instances in cases of widespread abuse. In practice, the BoryptGrab campaign managed to operate more than 100 repositories for an extended period before coordinated public disclosure.

This is not a GitHub-specific failure — it reflects a broader challenge facing any large, open platform where legitimate and malicious content coexist and where SEO dynamics can surface malicious pages before defenders can respond. The same search engine algorithms that help legitimate developers get found also helped these repositories rank above real software for targeted queries. The BoryptGrab campaign is a practical demonstration of what SOCFortress analysts described as a "Build-a-Breach" workflow: malware campaigns being launched with the same optimization discipline as consumer software products.

It is worth noting that BoryptGrab did not arrive in isolation. Security researchers at Fortra disclosed a separate GitHub-related campaign during the same week, this one abusing GitHub's email notification system. In that operation, attackers inserted fake billing and support messages into commit comments on empty repositories, causing GitHub to generate authentic-looking notification emails that appeared to come from and impersonated well-known brands. The two campaigns are distinct operations, but their simultaneous disclosure underscores how thoroughly threat actors have mapped GitHub's legitimate infrastructure as a delivery and social engineering resource. The platform's trust is not being exploited in one way by one actor — it is being exploited in multiple ways by multiple actors at the same time.

parallel threat

In the same week Trend Micro published the BoryptGrab report, Fortra disclosed a separate GitHub campaign abusing the platform's email notification system to impersonate brand support messages. These are two different operations, but their simultaneous appearance signals that abuse of GitHub's trusted infrastructure has become a repeatable, multi-actor playbook — not an isolated incident.

Why the MaaS Model Changes the Threat Calculus

The distinction between "a piece of malware" and "a malware distribution platform" matters more than it might seem. Traditional malware campaigns are generally bounded by a single operator's capacity and technical skill. A MaaS structure removes both constraints. Affiliates bring their own distribution channels, their own target lists, and their own operational tempo. The core operators provide infrastructure, stealer binaries, and payload delivery without needing to manage every victim interaction themselves. The build name system in BoryptGrab is the operational accounting layer that makes this work: operators can see which affiliate-driven distribution funnels are generating results, optimize their infrastructure investment accordingly, and terminate or replace underperforming affiliates without disrupting the broader operation.

This is why disclosure and takedown of individual repositories does not end this campaign. When a repository is removed, the affiliate who controlled it either deploys a replacement or the central operator spins one up. The GitHub repositories are not the infrastructure — they are the storefronts. The actual infrastructure is the C2 network, the HeaconLoad beacon system, and the SSH tunneling endpoints, none of which are hosted on GitHub and none of which are affected by repository removals. Defenders who focus purely on the repository layer are addressing the symptom rather than the mechanism.

What the FileGrabber Is Actually Looking For

The "FileGrabber" module in BoryptGrab is more targeted than its generic name suggests. It does not indiscriminately archive a victim's entire drive. Instead, it scans common user directories — Desktop, Documents, Downloads, and similar locations — for files with specific extensions associated with high-value data: documents, spreadsheets, password-related filenames, cryptocurrency seed phrase files, private key files, and similar material. This design reflects operational discipline: the attackers want material they can monetize or leverage, not raw storage they then have to process.

For individual victims, this means the threat is not limited to credentials already stored in a browser. If you keep a text file named "passwords" or a document containing wallet seed phrases anywhere in common user directories, the FileGrabber will collect it. The same applies to SSH private keys, VPN configuration files, or any document pattern that a financially motivated threat actor would recognize as valuable. This is a meaningful expansion of the attack surface beyond browser credential theft, and it is a component that many standard endpoint protection products will not flag specifically because the files being read are the victim's own files.

If You Think You Were Hit: Incident Response Considerations

The conventional advice for "I downloaded something suspicious" — run a scan, delete the file, move on — is insufficient for a confirmed or suspected BoryptGrab infection. The campaign's layered architecture means that by the time a user realizes something is wrong, the infection may have already completed multiple stages. Here is the realistic scope of what needs to be addressed:

Assume all browser-stored credentials are compromised. Every saved password, session cookie, and autofill entry across all nine targeted browsers should be treated as known to the attacker. This means rotating credentials for every service those browsers touched, prioritizing high-value accounts like email, banking, and cryptocurrency exchanges, and revoking active sessions across platforms. Changing a password is not sufficient if the attacker already holds a valid session cookie for that account — session revocation must be explicit.

Audit for TunnesshClient and HeaconLoad specifically. The presence of a reverse SSH tunnel or an active HeaconLoad beacon means the machine has been providing ongoing access to the attacker even if the initial BoryptGrab executable has already run and exited. Look for Run key registry entries added by an unfamiliar process, scheduled tasks with unusual names or execution paths, and outbound connections on port 8088. On a machine where tamper protection was disabled, Windows Defender exclusions should be audited for the presence of a C:\ drive-wide exclusion, which is a specific indicator of the VBS variant's pre-execution behavior.

Treat any cryptocurrency wallet as potentially exfiltrated. BoryptGrab targets wallet files, not just wallet application credentials. If wallet data files were present on the infected machine, the private keys may be in the attacker's possession regardless of whether any on-chain theft has occurred yet. For hardware wallets, the wallet software and configuration files can still expose metadata and transaction history. For software wallets where seed phrases or private keys are stored on disk in any form, assume those keys are compromised and migrate funds to a freshly generated wallet on a clean machine.

The machine cannot be considered clean without a full rebuild. Given the HeaconLoad re-supply mechanism, which can push new payloads after the initial infection, there is no reliable way to audit a BoryptGrab-infected machine back to a known-good state through scanning alone. A fresh OS install from verified media is the appropriate remediation path for any machine where a confirmed infection occurred.

The Organizational Exposure Nobody Is Disclosing

The framing of BoryptGrab as a threat to individuals searching for cracked software is accurate but incomplete. The demographic that downloads game performance tools, free productivity software, and media utilities on Windows machines is not exclusively a student or hobbyist population. It overlaps substantially with remote workers and hybrid employees who use personal machines — or lightly managed corporate machines — to access work applications, VPN clients, and corporate email. That overlap is where this campaign's organizational risk lives, and it is largely absent from incident response discussions around this threat.

Consider what BoryptGrab's FileGrabber actually finds on a typical work-from-home machine: VPN configuration files, SSH private keys for cloud infrastructure, corporate credentials autofilled in a browser, and active session cookies for enterprise SSO portals. A victim who works in IT, finance, or operations may have browser-stored credentials for platforms that an attacker would find far more valuable than a personal cryptocurrency wallet. The screenshot captured at execution time may show an open remote desktop session, a project management tool, or an internal dashboard. The session cookies exfiltrated before Chrome's App-Bound Encryption was bypassed may include authenticated sessions for Microsoft 365, Salesforce, or any number of SaaS platforms the employer assumed were protected.

This creates a specific organizational problem: the victim may not know they are the entry point for a potential corporate compromise. They may never report the incident. If they run a scan, find nothing, and move on, the employer remains unaware. If TunnesshClient was deployed, the attacker now has persistent access to a machine that connects to the corporate network on a regular basis. The BoryptGrab IR guidance for individuals — assume browser credentials are compromised, rotate everything, rebuild the machine — is also the appropriate threshold for any organization whose employees may have been affected, whether or not those employees self-report.

organizational risk

If any employee in your organization uses a personal or lightly managed Windows machine for work access, BoryptGrab is an organizational threat, not just a personal one. Browser-stored corporate credentials, active SSO session cookies, VPN configs, and SSH keys are all within scope for the FileGrabber. The victim may never self-report. Security teams should treat employee-device infections of this class as potential corporate exposure events, not personal matters.

Key Takeaways

GitHub search results are not inherently safe: The platform's domain authority makes it a high-value target for SEO poisoning. Appearing in search results does not mean a repository is legitimate. Always verify that you are on the official repository for any software, particularly before downloading a ZIP archive.
Free tool downloads are a primary attack surface: This campaign specifically targets people searching for cracked software, game cheats, and free versions of paid utilities. If the software costs money, the "free download" GitHub page is a threat indicator, not a deal.
The victim pool is not who you think: This campaign does not require the victim to do anything reckless. Students, content creators, and remote workers searching for legitimate-sounding tools are the realistic target population. Framing this as a consequence of piracy behavior understates the actual risk surface.
Chrome's App-Bound Encryption is not sufficient protection here: BoryptGrab incorporates public bypass techniques sourced from openly available research. Hardware-backed or offline credential management is a more resilient approach for high-value accounts.
Screenshots mean the attacker sees your screen, not just your files: The screenshot taken at execution time can expose open sessions, internal dashboards, displayed credentials, and corporate interfaces that are never stored in a browser or on disk. For employees on personal machines, this is an organizational exposure, not just a personal one.
TunnesshClient means data theft is the floor, not the ceiling: Victims who receive the SSH backdoor payload are not just facing credential loss — they face ongoing remote access by the threat actor. Incident response for a confirmed BoryptGrab infection should treat the machine as fully compromised, audit for HeaconLoad persistence and lateral movement, and plan for a full rebuild rather than a scan-and-clean approach.
Application allowlisting and Defender tamper protection matter: The VBS variant of this campaign specifically attempts to disable Windows Defender scanning. Enabling Defender tamper protection in Intune or Group Policy removes this option from the attacker's playbook. Application allowlisting restricts which executables can run in the first place.
Seed phrases and private keys on disk are in scope: The FileGrabber module collects files by extension and location, not just browser data. Any file in common user directories that could hold cryptocurrency keys, password lists, or private key material should be treated as potentially exfiltrated.
Removing repositories does not remove the campaign: The GitHub repositories are storefronts, not infrastructure. The MaaS backend, C2 servers, and HeaconLoad beacon network are independent of any repository action. Campaign disruption requires action at the infrastructure level, which public disclosure alone does not accomplish.
Organizations should treat this as a corporate threat, not just a personal one: Any employee using a personal or lightly managed Windows machine to access work systems is a potential entry point. Browser-stored corporate credentials, VPN configurations, SSH keys, and active SSO session cookies are all within scope. Security teams cannot rely on self-reporting from employees who ran a scan and saw nothing.

The BoryptGrab campaign is a well-executed example of how threat actors exploit trust in legitimate platforms rather than attacking defenses directly. It requires no zero-day vulnerability, no phishing attachment, and no exploit kit. It requires only that a user trusts a GitHub search result enough to download a ZIP file. Keeping that trust calibrated — verifying sources, treating cracked-software downloads as threat indicators regardless of platform, and maintaining resilient endpoint configurations — remains the most practical defense available to individuals and organizations alike.