A threat actor used hundreds of fake GitHub repositories impersonating legitimate software and security projects to spread an infostealer associated with BoryptGrab. The campaign targeted browser data, cryptocurrency wallets, messaging tokens, and other sensitive information while abusing trusted brands such as Arctic Wolf to lure victims. #GitHub #ArcticWolf #BoryptGrab
Keypoints
- 292 fake GitHub repositories were found impersonating legitimate products and security services.
- The campaign used deceptive README files and spoofed landing pages to push malicious downloads.
- The payload delivered a trojanized libcurl.dll and a signed WinGUP updater to sideload the infostealer.
- The BoryptGrab variant stole data from browsers, cryptocurrency wallets, messaging apps, and Windows Credential Manager.
- The malware sent compressed stolen data to a Russia-based C2 server and left forensic traces behind.