Malware & Threats Over 100 GitHub Repositories Distributing BoryptGrab Stealer The malware targets browser and cryptocurrency wallet data, along with system information and user files. By Ionut Arghire | March 7, 2026 (7:40 AM ET) Flipboard Reddit Whatsapp Whatsapp Email A new information stealer has been distributed through a network of more than 100 GitHub repositories, Trend Micro reports. Dubbed BoryptGrab , the malware can harvest browser and cryptocurrency wallet data, along with system information and user files. Additionally, certain iterations of the stealer can drop a backdoor dubbed TunnesshClient, which uses an SSH tunnel for command-and-control (C&C) communication. Trend Micro’s investigation into BoryptGrab revealed the existence of multiple ZIP archives masquerading as free software tools that have been distributed since late 2025 through the GitHub repositories. All identified binaries contained similar Russian-language comments and URL-fetching logic, although the malware’s execution logic was not the same for all ZIP archives. In some cases, DLL sideloading was used for execution, leveraging an executable within the archive, while in others, VBS Script was used to fetch the launcher’s executable. A .NET executable, a Golang downloader named HeaconLoad, and other execution paths were also observed. Advertisement. Scroll to continue reading. BoryptGrab is a C/C++ information stealer that includes VM and anti-analysis checks and attempts to execute with elevated privileges. It can harvest information from close to a dozen browsers, uses Chrome App Bound Encryption techniques from two GitHub repositories, and downloads a Chromium helper to collect information from the targeted browsers. It can also collect data from desktop cryptocurrency wallet applications and browser extensions, harvest system information, take screenshots, and collect files with specific extensions. Additionally, Trend Micro discovered that the stealer can obtain Telegram files, browser passwords, and, in newer iterations, Discord tokens. All the harvested information is archived and sent to the attacker’s C&C server. Some of the identified variants also deploy the TunnesshClient backdoor, which in other cases is dropped using different downloaders. TunnesshClient can execute commands provided by the attacker via a reverse SSH tunnel. Based on these, the malware acts as a SOCKS5 proxy, executes shell commands, lists files, searches for files, uploads and downloads files, or sends entire folders to the attacker’s server. “The BoryptGrab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories,” Trend Micro notes, adding that the operation shows an increasing level of engineering sophistication. Related: ‘Arkanix Stealer’ Malware Disappears Shortly After Debut Related: ‘SolyxImmortal’ Information Stealer Emerges Related: Lumma Stealer Activity Drops After Doxxing Related: Hundreds Targeted in New Atomic macOS Stealer Campaign Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Reclaim Security Raises $20 Million to Accelerate Remediation Cisco Patches Critical Vulnerabilities in Enterprise Networking Products AI Security Firm JetStream Launches With $34 Million in Seed Funding Google Plans Two-Week Release Schedule for Chrome Global Coalition Publishes 6G Security and Resilience Principles Critical FreeScout Vulnerability Leads to Full Server Compromise 1.2 Million Affected by University of Hawaii Cancer Center Data Breach Android Update Patches Exploited Qualcomm Zero-Day Latest News Pentagon’s Chief Tech Officer Says He Clashed With AI Company Anthropic Over Autonomous Warfare FBI Investigating ‘Suspicious’ Cyber Activity on System Holding Sensitive Surveillance Information ArmorCode Raises $16 Million for Exposure Management Platform In Other News: FBI Hacked, US Security Pro Killed in Iran War, Hijacked Cameras Used in Khamenei Strike CISA Adds iOS Flaws From Coruna Exploit Kit to KEV List Rockwell Vulnerability Allowing Remote ICS Hacking Exploited in Attacks James ‘Aaron’ Bishop Tapped to Serve as New Pentagon CISO Iranian APT Hacked US Airport, Bank, Software Company Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move ArmorCode has named Phil Venables to its Board of Directors. James ‘Aaron’ Bishop has been appointed as new Pentagon CISO. Sonalee Parekh has joined SentinelOne as Chief Financial Officer. More People On The Move Expert Insights Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email