Skip to content
.ca
sign in
6 minhigh

New BoryptGrab Stealer Targets Windows Users via Deceptive GitHub Pages

A new information stealer named BoryptGrab is being distributed through deceptive GitHub repositories that masquerade as legitimate software tools. The malware employs complex infection chains involving DLL side-loading, VBS downloaders, and encrypted payloads to deliver the stealer alongside additional backdoors like TunnesshClient and HeaconLoad.

Sens:24hConf:highAnalyzed:2026-03-05reports

Authors: Mingyue Shirley Yang

ActorsBoryptGrab CampaignVidar
TunnesshClientGitHubHeaconLoadSEO PoisoningBoryptGrab

Source:Trend Micro

IOCs · 3

Key Takeaways

  • BoryptGrab is a new information stealer targeting browser data, cryptocurrency wallets, and system information, distributed via fake GitHub repositories using SEO poisoning.
  • The attack chain delivers multiple payloads, including TunnesshClient (a PyInstaller reverse SSH backdoor) and HeaconLoad (a Golang downloader).
  • Threat actors employ DLL side-loading (via libcurl.dll), encrypted payloads, and VBS/PowerShell scripts to evade detection.
  • Evidence such as Russian-language comments, log messages, and IP addresses suggests a Russian origin for the threat actor.

Affected Systems

  • Windows
  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Brave Browser
  • Opera
  • Cryptocurrency Wallets

Attack Chain

Victims are lured to fake GitHub repositories via SEO poisoning and download a malicious ZIP file masquerading as legitimate software. The ZIP contains either an executable that performs DLL side-loading (libcurl.dll) or a VBS script to download further payloads. These launchers decrypt and execute the BoryptGrab stealer, which harvests browser data, crypto wallets, and system info. Concurrently, backdoors like TunnesshClient (reverse SSH tunnel) or HeaconLoad are deployed for persistence and remote access.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: Yes
  • Platforms: Trend Micro Vision One

The article provides a proprietary hunting query for Trend Micro Vision One to detect BoryptGrab malware detections.

Detection Engineering Assessment

EDR Visibility: High — The attack involves multiple process creations (PowerShell, wscript, schtasks), file drops in %TEMP%, and network connections to non-standard ports, which are highly visible to EDR. Network Visibility: Medium — C2 traffic uses HTTP for payload delivery and SSH/SOCKS5 for tunneling, which can be detected, but the reverse SSH tunnel encrypts the interactive session. Detection Difficulty: Moderate — While the initial delivery uses obfuscation and side-loading, the subsequent behaviors (Defender exclusions, scheduled tasks masquerading as Edge updates, cleartext HTTP API requests) provide solid detection opportunities.

Required Log Sources

  • Process Creation (Event ID 4688/Sysmon 1)
  • File Creation (Sysmon 11)
  • Network Connections (Sysmon 3)
  • Scheduled Task Creation (Event ID 4698)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for schtasks.exe creating tasks named 'MicrosoftEdgeUpdateTaskMachineCore' from unexpected parent processes.Process Creation (Event ID 4688/Sysmon 1)PersistenceLow
Monitor for PowerShell commands adding the root C:\ drive to Windows Defender exclusions.Process Creation (Event ID 4688/Sysmon 1)Defense EvasionLow
Hunt for HTTP GET/POST requests to unusual ports (e.g., 5466, 5000, 8088) with URI paths containing '/api/' or '/healthcheck'.Network Connections (Sysmon 3) / Proxy LogsCommand and ControlMedium
Detect wscript.exe executing .vbs files originating from the %TEMP% directory.Process Creation (Event ID 4688/Sysmon 1)ExecutionLow

Control Gaps

  • Lack of strict application control allowing execution of unsigned binaries from ZIP files
  • Permissive outbound network rules allowing SSH/HTTP to arbitrary external IPs on non-standard ports

Key Behavioral Indicators

  • Process ancestry involving wscript.exe spawning from temp directories
  • Creation of %TEMP%\client_task_system.xml
  • HTTP requests with hardcoded User-Agents or specific build names in the URI (e.g., /api/CryptoByte)

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Block known C2 IP addresses and domains at the perimeter.
  • Search endpoint telemetry for the provided file hashes and isolate affected machines.

Infrastructure Hardening

  • Restrict outbound SSH (port 22) and non-standard HTTP ports (5466, 5000, 8088) to authorized destinations only.
  • Implement application control to prevent execution of unknown binaries from user directories.

User Protection

  • Enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.
  • Ensure Microsoft Defender Tamper Protection is enabled to prevent unauthorized exclusions.

Security Awareness

  • Educate users on the risks of downloading software from unofficial sources, including unverified GitHub repositories.
  • Train developers and gamers to verify the authenticity of tools and mods before execution.

MITRE ATT&CK Mapping

  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1059.005 - Command and Scripting Interpreter: Visual Basic
  • T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • T1053.005 - Scheduled Task/Job: Scheduled Task
  • T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
  • T1562.001 - Impair Defenses: Disable or Modify Tools
  • T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
  • T1090.002 - Proxy: External Proxy
  • T1573.002 - Encrypted Channel: Asymmetric Cryptography
  • T1140 - Deobfuscate/Decode Files or Information

Additional IOCs

  • Ips:
    • 45[.]93[.]20[.]195 - TunnesshClient C2 server for local SSH forwarding
  • Domains:
    • best-tinted[.]com - Intermediate domain generating malicious ZIP files
  • Urls:
    • hxxps://voicemod-pro-download-tool[.]github[[.]]io/[.]github/ - Fake GitHub download page
    • hxxps://kiamatka[[.]]com/kaiok[.]kakman - Intermediate redirect URL
    • hxxps://best-tinted[[.]]com/github-download[.]html - ZIP file generation page
    • hxxps://botshield[[.]]vu/kFcjld - Payload download URL used by VBS script
    • hxxps://botshield[[.]]vu/KKRkm9 - Payload download URL used by VBS script
    • hxxp://45[.]93[.]20[[.]]61:5466/api/x32_chromium - Chromium helper download URL
    • hxxp://193[.]143[.]1[[.]]104:5000 - TunnesshClient SSH credentials retrieval URL
    • hxxp://45[.]93[.]20[[.]]195:5000 - TunnesshClient local SSH forwarding URL
  • File Hashes:
    • d295720bc0c1111ce1c3d8b1bc1b36ba840f103b3ca7e95a5a8bf03e2cc44fe5 (SHA256) - Payload loaded by libcurl.dll
    • 1bd605ef84b6767df74bd6290f1468eed5a88264df23fcf70b6a75d5bdcf7d76 (SHA256) - VBS downloader script
    • 15de71073f44c657c23f5f97caa11f1b12e654d4d17684bfc628cc1e5b6bcdd5 (SHA256) - C/C++ launcher variant
    • 4e90d386c1c7d3d1fd4176975795a2f432d95685690778e09313b4a1dbab9997 (SHA256) - BoryptGrab variant
    • 4264a88035aa0b63e9aef96daa78a58114d60a344ea10168a8ef5ef36bf8edbd (SHA256) - .NET executable downloader
    • 433a13cc70396f80dc29d1150c050339d78964fdc91bcdc3f40c67a77add1476 (SHA256) - Base64-encoded VBS downloader
    • 7f2315b89fb9a47e1516def136844d617bfcdce19000a1b0436706692dbe166c (SHA256) - Launcher variant
    • 449f528f5ceae8c3f8336d0d8e3e3ec9031d1ad67c31ee7311b67e01d5fdf225 (SHA256) - Launcher variant
    • c40b9913e79c5dd09751b1afb03aaa98658bab61bacf27a299abd84fd44fe707 (SHA256) - Launcher variant
    • 2abe0ef88ba92db79d82cde4c0ed1f382bb347517a54ea82084c841d0f955518 (SHA256) - HeaconLoad Golang downloader
    • 2050468744e44554fac17fb83f1515c95f2f2236716e2b5267a81c2b94205e6a (SHA256) - Vidar stealer variant
    • fe4e5fb28d2c2b3a640112b6b125ce8c4afa8be28342e3bfda097ad9dd2ef9ee (SHA256) - BoryptGrab variant
    • ed1745cc49b929e499966d87e163219fe0f24069fe88dfacbd69c0ebab85a640 (SHA256) - Chromium helper executable
    • 576692df4bf1c7d8927d3a183f5219a81c3bff3dd22971691f8af6889f80c5a0 (SHA256) - TunnesshClient PyInstaller executable
    • 0434437a073a3f3a49e84d5ecb20c99dd551bacc32bf100fbb8cf67a50642181 (SHA256) - TunnesshClient variant
  • Registry Keys:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run - Used by HeaconLoad for persistence
  • File Paths:
    • %TEMP%\client_task_system.xml - XML file used to schedule TunnesshClient execution
    • %TEMP%\client_task_user.xml - XML file used to schedule TunnesshClient execution
    • %TEMP%\x32_chromium.exe - Chromium helper downloaded by BoryptGrab
    • UserInformation.txt - File created by BoryptGrab containing harvested user info
    • installed_applications.txt - File created by BoryptGrab containing installed app info
  • Command Lines:
    • Purpose: Creates a scheduled task masquerading as a Microsoft Edge update for persistence | Tools: schtasks.exe | Stage: Persistence | schtasks /Create /TN "MicrosoftEdgeUpdateTaskMachineCore" /XML
    • Purpose: Adds an exclusion to Microsoft Defender to prevent scanning of the C: drive | Tools: powershell.exe | Stage: Defense Evasion | powershell.exe -command "Add-MpPreference -ExclusionPath \"C:\\\"
    • Purpose: Executes a downloaded VBS script from the temp directory | Tools: wscript.exe | Stage: Execution | wscript.exe "<temp_path>.vbs"

Related