- Fake GitHub Lures: An unattributed actor used at least 292 pages and repositories to impersonate legitimate software brands.
- Delivery Chain: A reusable branded template rotated ZIP downloads before a signed updater loaded a malicious dynamic-link library.
- Data Theft: BoryptGrab-lineage information-stealing malware targeted browser credentials, wallet data, messaging sessions, gaming tokens, files, and screenshots.
- Takedown Limits: GitHub removed much of the material, but 78 redirectors remained active at the documented research cutoff.
- User Check: Software seekers should verify repository owners and download programs only through official vendor channels.
An unattributed actor has published 292 GitHub repositories in a delivery chain beginning June 26. Polished READMEs, trust badges, and download buttons made the fake pages resemble legitimate software and security projects. Visitors moved from those READMEs through GitHub-hosted redirectors and the actor’s domain to a fake download page.
Each final download was a ZIP archive carrying BoryptGrab-lineage information-stealing malware. Eleven theft modules targeted credentials and cookies across more than 19 browser names, roughly 32 cryptocurrency wallet brands, messaging data, gaming tokens, files, screenshots, and Windows credentials. GitHub had removed much of the malicious material by July 13, but 78 redirectors remained active during the examination.
Repository and redirector totals do not measure victims. Cybersecurity researchers at Arctic Wolf Labs discovered the operation after finding an impersonation of one of the company’s products. Familiar branding and GitHub’s recognizable presentation supplied credibility without exploiting a vulnerability in GitHub or the impersonated vendors.
One Template Powered Hundreds of Lures
People searching for security, finance, cryptocurrency, developer, email, macOS, and gaming tools encountered the fake repositories. Marketing-style READMEs sent them through a GitHub-hosted page to an attacker-controlled domain. A single reusable HTML and JavaScript template read the URL path to select visible branding, letting the operator change the apparent product without rebuilding the delivery site.
URL-driven branding supported hundreds of software lures across unrelated categories from one codebase. Each ZIP archive had a filename and payload that changed every 60 seconds. Rapid rotation complicated filename-based blocking while preserving the same package structure: a legitimate signed WinGUP updater beside a trojanized libcurl.dll file.
When launched, the signed updater side-loaded a trojanized libcurl.dll from the location where it expected a trusted dependency. Placed beside the updater, the malicious dynamic-link library loaded and ran attacker-controlled code in memory. A signature on the updater covered neither the library nor the combined package and did not establish the complete download’s safety.
A binary comparison matched 1,638 functions and found that 94% of the sample’s functions appeared in the reference BoryptGrab binary. Such overlap supports a shared BoryptGrab codebase without proving the binaries are identical. Operator attribution requires separate infrastructure or identity evidence, leaving the person or group behind this campaign unknown.
What the Malware Took and What Remains Unknown
BoryptGrab harvested browser credentials and cookies, cryptocurrency wallet data, messaging sessions, gaming tokens, selected local files, screenshots, system details, and Windows Credential Manager entries. It also injected code into Chrome to bypass App-Bound Encryption, Chrome’s protection for browser secrets. Stolen information was compressed for transmission to a Russia-based command-and-control server.
Unlike malware designed to survive reboots and maintain long-term access, the analyzed implant established no persistence. Its one-run theft model still exposed stored credentials, active sessions, wallet data, and local files before exit. A staging directory and operational logs remained on disk after exfiltration, giving defenders artifacts to inspect.
Neither the server’s location nor the 1,638-function comparison identifies the operator.
Takedowns Leave a Verification Problem
Removing repositories interrupts active lures without dismantling the reusable delivery model. Removal is reactive, and spinning up new accounts costs a malware actor basically nothing. Recent creation dates, sparse commit histories, marketing-heavy READMEs, fabricated badges, and ZIP-delivered executables are practical warning signs.
Security teams can inspect endpoints for side-loaded libraries, staging folders, and unexpected browser-process injection.
Defenders can also use the campaign’s BoryptGrab_infostealer.yara rule and boryptgrab_indicators.csv file to search files for matching patterns. YARA supplies a pattern-matching malware detection rule, while the CSV provides campaign indicators.
In 2025, a separate campaign exploited GitHub’s trusted status to distribute malware. A separate fake OpenAI-branded Hugging Face repository may have delivered an infostealer. Both incidents provide context for repository abuse, not evidence of the same campaign or operator.
Researchers could not identify the current actor but assessed the operator as likely Russian-speaking and financially motivated.
GitHub user should run executables only when the repository owner and download URL match the software vendor’s verified channel. Familiar branding, rather than verified vendor ownership, supported the fake BoryptGrab repositories.


