Trend Micro has disclosed a malware campaign it calls BoryptGrab, saying the stealer has been distributed through more than 100 public GitHub repositories that posed as free software tools and used SEO-heavy README files to rank in search results.
In one example, Trend Micro said a fake Voicemod Pro repository appeared just below the legitimate result in Google Search and led users through a deceptive download flow to a ZIP file that delivered the malware.
Trend Micro said victims were lured through search results, fake repositories and counterfeit download pages rather than email-based phishing.
How the campaign reached victims
Trend Micro added that the campaign used ZIP files themed around cracked software, gaming cheats and utility tools, with the earliest ZIP sample it identified dating to late 2025 and the earliest repository account commit dating to April 2025.
The researchers said some code comments, log messages and infrastructure pointed to a possible Russian origin, but they stopped short of firm attribution.
What BoryptGrab collected and how
On infected Windows systems, Trend Micro said BoryptGrab collected browser data, wallet-related information and other credentials. Trend Micro said BoryptGrab harvested data from nine browsers, including Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, Vivaldi, Brave, Chromium, CentBrowser and Yandex Browser.
The Trend Micro analysis said the malware borrowed code from public GitHub projects built to bypass Chrome App-Bound Encryption, a security feature Google introduced in 2024 to make cookie theft harder on Windows.
Google said that protection was designed to raise the cost of same-user credential theft, while public security research has since documented ways to work around it through code injection and related techniques.
Persistence and remote access beyond credential theft
Trend Micro said some variants also delivered TunnesshClient, a PyInstaller executable that set up a reverse SSH tunnel, retrieved SSH credentials from attacker infrastructure and could proxy traffic or execute commands.
Other attack chains used a downloader the company calls HeaconLoad, which achieved persistence through a Run-key registry entry and a scheduled task before pulling additional payloads. Trend Micro said those components gave some infection chains persistence and remote access capability in addition to credential theft.
GitHub as a delivery chain: policy, precedent and reporting
Microsoft described a separate campaign in March 2025 that also used GitHub in its delivery chain, providing recent context for the Trend Micro findings. In a March 6, 2025 blog post, Microsoft Threat Intelligence said a separate malvertising campaign affected nearly 1 million devices globally and redirected users to GitHub and two other platforms during the delivery chain.
GitHub’s policy bars use of the platform to deliver malicious executables or support unlawful attacks. Separately, GitHub says it allows dual-use security research content and may temporarily restrict specific instances of that content in rare cases of widespread abuse.
CIS Controls recommend measures including software inventory, removal of unauthorized software and application allowlisting to limit what can run on enterprise systems. GitHub, for its part, says repositories and organizations can be reported directly through in-product abuse workflows.