"BoryptGrab is a C/C++ information stealer that includes VM and anti-analysis checks and attempts to execute with elevated privileges. It can harvest information from close to a dozen browsers, uses Chrome App Bound Encryption techniques from two GitHub repositories, and downloads a Chromium helper to collect information from the targeted browsers."
"Trend Micro's investigation into BoryptGrab revealed the existence of multiple ZIP archives masquerading as free software tools that have been distributed since late 2025 through the GitHub repositories. All identified binaries contained similar Russian-language comments and URL-fetching logic, although the malware's execution logic was not the same for all ZIP archives."
"It can also collect data from desktop cryptocurrency wallet applications and browser extensions, harvest system information, take screenshots, and collect files with specific extensions. Additionally, Trend Micro discovered that the stealer can obtain Telegram files, browser passwords, and, in newer iterations, Discord tokens."
BoryptGrab is a C/C++ information stealer malware distributed since late 2025 through multiple GitHub repositories disguised as free software tools. The malware employs various execution methods including DLL sideloading, VBS scripts, .NET executables, and a Golang downloader called HeaconLoad. It includes VM and anti-analysis checks and attempts privilege escalation. BoryptGrab harvests data from nearly a dozen browsers using Chrome App Bound Encryption techniques, collects cryptocurrency wallet information from desktop applications and extensions, captures system data and screenshots, and extracts Telegram files, browser passwords, and Discord tokens. Certain variants deploy TunnesshClient, a backdoor using SSH tunnels for command-and-control communication. All harvested information is archived and transmitted to attacker-controlled servers.
#information-stealer-malware #github-repository-distribution #cryptocurrency-wallet-theft #backdoor-deployment #browser-data-harvesting
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]