• 2 min read
292 fake GitHub repos spread infostealer malware
Arctic Wolf found 292 GitHub repos impersonating trusted software to deliver a BoryptGrab-like stealer via fake download pages.

Image: BleepingComputer
Hundreds of fake GitHub repositories have been used to impersonate legitimate software and security tools in a malware campaign that pushes an infostealer to victims searching for downloads.
According to Arctic Wolf, the operation targeted users looking for security products, cryptocurrency services, financial tools, developer utilities, secure email providers, macOS utilities, and gaming software. The malware is built to harvest data from more than 19 web browsers, steal information from 32 cryptocurrency wallets, and pull sensitive data from messaging and social platforms.
Arctic Wolf says it discovered the activity after one of its own products was impersonated starting June 26. In total, researchers identified 292 fake repositories, each with a README linking to a malicious download page.

Recommended reading
ModHeader pulled after spyware hit 1.6M installs
The fake landing pages were designed to look trustworthy, using branding cues such as spoofed trust badges and a “Download Secure Content” button. Arctic Wolf said the infrastructure relies on a single templated HTML/JS artifact reused across all impersonated brands. The script parses the URL into a rotating user_code and a referrer domain, then dynamically renders visible branding by converting hyphens to spaces and applying title case.
The page serves a large ZIP archive whose filename and payload change roughly every minute. Inside are a trojanized libcurl.dll and a legitimate signed WinGUP updater renamed to match the spoofed product.
“When the user runs the executable, gup.exe side-loads libcurl.dll, which decodes and reflectively executes an embedded infostealer entirely in memory.”
The stealer appears to be a variant of the BoryptGrab family. Arctic Wolf says it can collect:
- passwords, cookies, payment data, and other information from 19 web browsers
- data from 32 cryptocurrency wallet brands
- Telegram sessions, Discord tokens, and Steam session tokens
- credentials for Meta’s Max messaging application
- Windows Credential Manager contents
- files from Desktop and Documents that appear related to passwords, wallets, recovery phrases, or backups
- screenshots, system details, and installed-software lists
Researchers also said this variant shows a previously undocumented ability to bypass Chrome App-Bound Encryption by injecting code directly into the browser process. Stolen data is compressed and sent to a Russia-based command-and-control server.
Arctic Wolf said the malware does not establish persistence and instead tries to steal as much data as possible in a single run. It also lacks an anti-analysis layer and leaves staged stolen data in a temporary directory, creating forensic evidence.
At the time of the report, GitHub had removed many of the malicious repositories, but several dozen GitHub Pages redirectors were still active. Arctic Wolf could not attribute the campaign to a specific actor, though it assessed the operator is likely Russian-speaking and financially motivated. The company also published a Yara rule and related indicators of compromise for defenders.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via BleepingComputer


