Cybercriminals have launched a campaign featuring hundreds of deceptive GitHub repositories that impersonate legitimate software and security tools to spread information-stealing malware.
This malicious campaign is designed to attract users searching for security products, cryptocurrency services, financial tools, developer utilities, secure email providers, macOS utilities, and gaming software.
The malware is engineered to gather sensitive data from over 19 web browsers, pilfer information from 32 cryptocurrency wallets, and extract confidential details from messaging and social media applications.
Cybersecurity experts from ArcticWolf uncovered this alarming trend after noting that one of their products was spoofed in a malicious scheme starting on June 26th.
The research team identified a total of 292 fraudulent repositories. Each repository featured a README file with a download link, redirecting users to a malicious download page.

Source: Arctic Wolf
The landing pages employed persuasive language and branding features to instill trust, such as a “Download Safe Content” button and a counterfeit trust badge.
Upon code analysis of the distribution page, researchers found it utilized a singular templated HTML/JS mechanism that was replicated across all fraudulent brands.
“The client-side script segments the URL path into two components: [paths].[0] user_code (a ‘circular’ token tracking the library’s repository/redirector) and [paths].[1] as a referrer domain (e.g., Arctic-Wolf.github.io),” Arctic Wolf mentions.
The displayed branding derives from the second segment at the time of rendering, substituting hyphens with spaces and applying appropriate title casing.

Source: Arctic Wolf
According to findings, the page delivers a sizable ZIP archive whose name and contents change roughly every minute. Inside the archive is a trojanized libcurl.dll and a legitimate signed WinGUP updater repurposed under a different name based on the spoofed program.
“When a user executes the file, gup.exe side-loads libcurl.dll to decode embedded infostealers entirely in memory and execute them reflexively.”
This variant of the information stealer, identified as part of the BoryptGrab family, targets the following data from infected devices:
- Passwords, cookies, payment details, and other data from 19 web browsers
- Information on 32 cryptocurrency wallet platforms
- Telegram sessions, Discord tokens, Steam session tokens
- Credentials for Meta’s Max Messaging Application
- Contents of Windows Credential Manager
- Desktop and document files with names or extensions indicative of passwords, recovery phrases, wallets, backups, etc.
- Screenshots, system details, and a list of installed software
Researchers report that this variant of BoryptGrab boasts a unique undocumented capability of bypassing Chrome’s app binding encryption via direct code injection into the browser process.
The stolen data is compressed prior to being transmitted to a command and control (C2) server situated in Russia.

Source: Arctic Wolf
Arctic Wolf highlighted that the malware is not designed for persistence on the host and aims to gather as much data as possible in one execution.
Furthermore, there is no analysis prevention mechanism in place, and the temporary directory used to store collected data during the breach is not cleared, leaving behind potential forensic evidence.
At the time of the Arctic Wolf report, GitHub had successfully removed most of the harmful repositories, but dozens of GitHub Pages redirectors remained operational.
While researchers could not pinpoint a specific actor behind this campaign, they estimated that the perpetrators were likely Russian-speaking and financially motivated.
Arctic Wolf advises that the effectiveness of this campaign hinges on users trusting “free downloads” of premium software tools and recommends exercising caution when engaging with unofficial GitHub pages.
Research teams have shared Yara rules to help detect this activity and indicators of compromise (IoC) linked to BoryptGrab.
Security teams report that 54% of successful attacks go undocumented, and warnings are issued in only 14% of cases. The remainder operate undetected within the environment.
Picus’ whitepaper provides insights on how to test your SIEM and EDR rules through breach and attack simulations to ensure effective threat detection.
Source: www.bleepingcomputer.com




