The “GitHub-io” Trap: How BoryptGrab Uses SEO Lures and SSH Tunnels to Hijack Your PC

A nascent strain of malicious software is proliferating beneath the guise of game enhancements and illicitly cracked iterations of ubiquitous applications, disseminated across hundreds of counterfeit repositories on GitHub. At a superficial glance, the stratagem appears pedestrian: the victim is presented with a ZIP archive bearing a tantalizing moniker, such as an FPS accelerator, a skin manipulator for Counter-Strike 2, or a “professional” edition of Voicemod. In practice, however, the execution chain is profoundly labyrinthine. Lurking behind the facade of the bogus download portal is a multi-tiered delivery architecture involving loaders forged in C/C++, VBScript, and .NET, a mutated strain of the Vidar malware, a discrete Golang component, and a Python-based backdoor designed to architect a reverse SSH tunnel, thereby transmuting the subjugated system into a remotely subjugated node.

Investigators have christened this nascent information stealer “BoryptGrab.” Its foundational repertoire is emblematic of the infostealer taxonomy, yet executed with formidable breadth: it plunders telemetry from web browsers, desktop cryptocurrency wallets, browser extensions, Telegram, and Discord; it captures screenshots, harvests overarching systemic intelligence, and systematically exfiltrates files from highly trafficked directories based upon predetermined extensions. Specific permutations are further empowered to ingest the TunnesshClient backdoor. This component transcends mere data theft: it erects a reverse SSH tunnel, establishes traffic forwarding protocols, and stands ready to execute the directives of its operator.

The embryonic traces of this campaign stretch back to 2025. The most archaic ZIP archive unearthed is timestamped late 2025, whilst the inaugural commit within the oldest identified GitHub account materialized in April 2025. The nomenclature of these archives adheres to a strict internal logic: they invariably incorporate the titles of ubiquitous software, gaming vernacular, version iterations, and keywords such as “download,” “tool,” “premium,” or “github-io.” Prominent examples encompass counterfeit archives masquerading as Voicemod Pro, Wondershare, and enhancements for Valorant, Call of Duty, Rainbow Six Siege, and Arena Breakout, alongside more obscure lures such as a “git deployer app.” A distinct stratum is comprised of ZIP files that explicitly feature the “github-io” string within their nomenclature, a glaring indicator pointing toward the subsequent phase of the kill chain.

The dissemination sequence is inaugurated via counterfeit GitHub repositories. The architects of this campaign demonstrated a profound preoccupation with search engine optimization (SEO): the README files of myriad repositories are densely populated with SEO keywords, strategically engineered to elevate these fraudulent pages within search engine hierarchies. In one stark example, a repository masquerading as a Voicemod Pro download portal surfaced almost immediately beneath the legitimate organic result within Google’s index. This alone is sufficient to guarantee infection: a user seeking a gratuitous utility encounters a familiar moniker and is unwittingly diverted from the official domain to a malignant GitHub page.

Subsequently, the operation masterfully masquerades as GitHub’s intrinsic infrastructure. The venomous README harbors a hyperlink structurally resembling github.io/.github/, with its underlying code sequestered within a discrete repository camouflaged as the standard .github directory. Within the interstitial HTML page, investigators unearthed annotations articulated in the Russian language. The underlying logic is rudimentary yet profoundly advantageous for the malefactors: the page extracts a rigidly hardcoded hyperlink from the source code, retrieves a Base64-encoded URL, decrypts the destination address, and orchestrates a redirection to the subsequent node. The ultimate interstitial site meticulously renders a counterfeit GitHub download interface and dynamically mints a ZIP archive laden with malicious payloads.

This campaign is not bound to a singular, linear trajectory. The architects wield a multitude of delivery vectors, fluidly substituting components. In specific repositories, investigators discovered deleted scripts.js artifacts, which historically fetched the intermediary URL and executed the redirection. In alternative iterations, the JavaScript does not merely retrieve an address; rather, it ingests an encrypted hyperlink, decrypts it utilizing the Advanced Encryption Standard (AES), and only then propels the user forward. More contemporary variants have integrated Python scripts designed to flawlessly mimic a pedestrian download sequence. A contingent of these pages covertly transmits tracking telemetry back to the operators. To articulate it differently, GitHub is not being leveraged merely as a transient storefront, but rather as an entire, intricate ecosystem of lures, redirections, and counterfeit loaders.

A primary vector of infection is anchored upon DLL side-loading. The ZIP archive harbors an executable file that unwittingly sideloads a compromised libcurl.dll. The elegance of this stratagem lies in its ability to present a superficially benign executable, whilst the malignant logic is entirely displaced into the DLL loaded concurrently with the application. The subverted library extracts the payload from its own resource section, subsequently decrypting a launcher payload utilizing a combination of XOR and AES operating in Cipher Block Chaining (CBC) mode. Following this decryption, it invokes the exported EntryWrapper function from the newly deciphered module.

This launcher meticulously obfuscates the download coordinates utilizing XOR obfuscation, subsequently pulling the BoryptGrab payload directly from the command-and-control nexus. In several permutations, the loader passes the -b parameter to the stealer, dictating the build nomenclature. Identified values encompass designations such as Shrek, Sonic, Leon, CryptoByte, Yaropolk, Yarostnick, and myriad others. These build monikers function as internal operational tags, likely utilized to differentiate campaign variants, traffic provenances, or specific target cohorts. Via an alternative endpoint, the selfsame launcher is capable of retrieving auxiliary EXE artifacts. Investigators ascertained that a subset of these files constitutes highly obfuscated variants of the Vidar stealer. Yet another trajectory leads to the PyInstaller-compiled TunnesshClient component, whilst a distinct route culminates in a Golang loader christened HeaconLoad.

Within this architecture, the TunnesshClient secures its persistence via the orchestration of Scheduled Tasks. The launcher mints XML artifacts within the %TEMP% directory, utilizing them as blueprints to register tasks that subsequently invoke the downloaded PyInstaller backdoor. This sophisticated mechanism guarantees endurance following a system reboot, alleviating the malefactors from the tedious necessity of manually re-establishing dominion over the compromised host.

A secondary, highly conspicuous route is architected around a VBScript loader. Within certain ZIP variants, the DLL side-loading mechanism is supplanted by a VBScript replete with nonsensical variables designed to utterly confound forensic analysis. The critical strings are meticulously concealed as arrays of integers, whilst a tersely named function dutifully transmutes these arrays back into legible text. The script harbors logic designed to orchestrate privilege escalation, ultimately unfurling a Base64-encoded PowerShell payload. Post-decryption, the PowerShell script retrieves a binary artifact from an external node and executes it. In specific specimens, the VBScript further explicitly injects an exclusion into Microsoft Defender, ensuring the C:\ drive is entirely exempt from antiviral scrutiny. For an information stealer, this maneuver is profoundly illustrative: the operator’s imperative is not merely the theft of data, but ensuring the absolute unimpeded extraction of artifacts, entirely devoid of interception by defensive software.

The artifact downloaded via the VBScript invariably manifests as yet another C/C++ launcher component. It communes with the malefactors’ API via a pathway structurally resembling /api/{BUILD_NAME}, ultimately retrieving BoryptGrab. In certain execution chains, the stealer itself is tasked with downloading the TunnesshClient, usurping the role of the launcher. Such component interchangeability exponentially complicates detection methodologies: in one build, the backdoor may materialize during the nascent stages, whilst in another, it appears only following the triumphant culmination of data exfiltration.

Auxiliary branches abound. One variant leverages a .NET executable harboring a concealed, Base64-encoded VBScript loader, which subsequently retrieves a binary from an alternative coordinate. Other launcher iterations interact with endpoints such as /api/app, /api/app.zip, /api/payload, and /api/client2. Specific ZIP archives deliver HeaconLoad directly, entirely bypassing any intermediary stages. Consequently, the campaign does not resemble a rigid, linear sequence of operations, but rather a modular construct forged from highly interchangeable components.

HeaconLoad, engineered in Go, governs the subsequent phases of delivery. It anchors its persistence via the Run key within the Windows Registry and concurrently through a Scheduled Task. Following this entrenchment, it commences the transmission of HTTP POST requests to the operator’s server at the /healthcheck endpoint. Each beacon transmission ferries vital systemic telemetry and a rigidly hardcoded build tag. Discovered tags include leon, shrek, sonic, yaropolk, yarostnick, yasno, kylka, and voblya. The server responds with the bundle_available and bundle_hash fields. The former flag dictates whether the archive is primed for download, whilst the latter provides the cryptographic checksum. Should the bundle be available, HeaconLoad retrieves the ZIP payload, extracts its contents, and executes the first executable file encountered. Within the logs of this specific component, investigators once again observed messages articulated in Russian.

A distinct delivery branch culminates in bespoke iterations of Vidar. The binaries, retrieved via /api/custom_exe?build={BUILD_NAME}, meticulously preserve the hallmark network signatures intrinsic to this family. They transmit files, such as information.txt, to the server via HTTP POST, whilst deploying multiple strata of obfuscation: strings are cryptographically veiled via XOR, and the code is littered with opaque predicates and superfluous blocks—architected not for operational logic, but explicitly to severely impede reverse engineering efforts. Furthermore, this variant dynamically resolves APIs and possesses the capability to execute code injection or Asynchronous Procedure Call (APC) injection, thereby embedding its code within the sanctuary of other processes or queuing its invocations within a thread’s asynchronous procedure manifest.

BoryptGrab itself is forged in C/C++. It boasts the --output-path (or -o) parameter, which explicitly dictates the directory wherein the harvested intelligence is to be sequestered. A contingent of these builds also supports the --build-name (or -b) parameter. This designated value is ultimately inscribed within the BUILD NAME field residing in the UserInformation.txt artifact. Should the argument be omitted, a subset of the specimens defaults to the standard moniker “No_name.” In alternative variants, the build nomenclature is immutably hardcoded directly into the binary, while certain specimens entirely abstain from inscribing the BUILD NAME within the final report. The chronicled tags span a spectrum from neutral designations like Data, Leon, Yasno, and CryptoByte to profoundly crass internal monikers—a reality that further underscores a somewhat rudimentary, yet undeniably fervent, development cycle.

Prior to commencing its primary operations, BoryptGrab rigorously ascertains whether it is ensnared within a virtualized environment. To achieve this, the specimens aggressively interrogate Registry keys and meticulously hunt for files inextricably linked to virtualized architectures. Furthermore, the stealer cross-references the roster of active processes against a precompiled ledger of known nomenclature, explicitly hunting for the presence of analytical instruments. Following this audit, it endeavors to secure escalated privileges. This formidable synthesis of anti-VM and anti-analysis stratagems is vital to mitigate the probability of detonation within a sandbox environment and to severely obfuscate behavioral analysis.

Should the operator neglect to manually dictate a target directory, the stealer autonomously mints a bespoke folder to harbor the harvested artifacts. The nomenclature of this directory is a synthesis of the current timestamp, the host’s public IP address, and the corresponding country code. Thereafter, the software initiates its relentless, systematic harvest.

The interaction with web browsers warrants particular scrutiny. BoryptGrab aggressively extracts telemetry from Brave, CentBrowser, Chromium, Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, Vivaldi, and Yandex Browser. To subjugate Chromium-based browsers, it deploys sophisticated techniques to circumvent Chrome’s App-Bound Encryption—a security paradigm explicitly engineered to irrevocably tether sensitive secrets, such as cookies and archived passwords, to a specific application and systemic context. The malefactors have seamlessly integrated methodologies derived from public GitHub repositories explicitly dedicated to the circumvention and decryption of App-Bound Encryption. Concealed within BoryptGrab is an encrypted resource designated PAYLOAD_DLL. Following its decryption, it reveals logic remarkably homologous to open-source Proof-of-Concept (PoC) projects, significantly augmented with bespoke functions tailored for the extraction of data from Firefox and Yandex Browser.

To facilitate the manipulation of this browser telemetry, the stealer concurrently downloads a helper component, x32_chromium.exe, into the %TEMP% directory. This auxiliary utility is strictly requisite for executing highly specific operations pertaining to the extraction or decryption of browser artifacts.

Beyond the realm of web browsers, BoryptGrab aggressively targets cryptocurrency wallets. The target matrix is expansive: Armory Wallet, Atomic, AtomicDEX, Binance, Bitcoin Core, BitPay, Blockstream Green, Chia Wallet, Coinomi, Copay, Daedalus Mainnet, Dash Core, Dogecoin, Electron Cash, Electrum, ElectrumLTC, Ethereum, Exodus, GreenAddress, Guarda, Jaxx Desktop, Komodo Wallet, Ledger Live, Ledger Wallet, Litecoin Core, MEW Desktop, MyEtherWallet, NOW Wallet, Raven Core, StakeCube, Trezor Suite, Wasabi Wallet, and a multitude of others. The stealer relentlessly hunts for their respective directories, endeavors to pillage their contents, and meticulously journals its operations—logs that unequivocally demonstrate that the plunder of cryptographic assets was a paramount objective for the architects.

An auxiliary function, the “File Grabber,” empowers the systematic harvesting of files bearing specific extensions from highly trafficked directories. The underlying code notably contains a glaring orthographic error—”Filegraber”—which indirectly hints at a somewhat slapdash internal development ethos. Nevertheless, the function itself is profoundly utilitarian: the operator harvests not merely passwords, tokens, and wallets, but invaluable documents, spreadsheets, configuration files, backups, and auxiliary data that could prove indispensable for securing subsequent access or facilitating extortion.

The plunder does not conclude there. BoryptGrab possesses the capacity to exfiltrate Telegram artifacts, purloin browser passwords, and, in its more nascent iterations, harvest Discord tokens. Upon the culmination of its operations, the entirety of the stolen trove is compressed into an archive and stealthily transmitted to the malefactors’ server.

The most profoundly perilous module within this entire constellation is the TunnesshClient, authored in Python and neatly packaged via PyInstaller. Its paramount mandate is not theft, but the architectural forging of a remote command-and-control conduit. The component initially communes with the operator’s server via the /api/get_challenge and /api/get_credentials endpoints. The server issues a cryptographic challenge; the client computes the requisite SHA256 hash, receives an encrypted riposte, and subsequently decrypts a JSON payload harboring the vital SSH credentials. The software then transmits systemic telemetry to /api/get_port, acquires the designated port number for forwarding, and establishes the SSH tunnel.

A reverse SSH tunnel fundamentally subverts the orthodox paradigm of access. Rather than the operator initiating a direct connection to the victim’s machine, the subjugated system autonomously establishes an SSH connection outward to the malefactor’s server, tearing open a conduit through which the operator may subsequently ingress. This methodology is exquisitely advantageous for circumventing Network Address Translation (NAT) architectures, proxies, and myriad network filtration systems: an outbound connection originating from the victim’s machine frequently appears markedly less suspicious than an inbound solicitation.

Following the successful establishment of the tunnel, TunnesshClient is empowered to execute a repertoire of commands dictated by numerical operation codes. One specific code activates a SOCKS5 proxy paradigm; another detonates a shell command; whilst discrete codes facilitate the enumeration of files, the Base64-encoded transmission of a victim’s file, the inscription of an arbitrary file onto the host, bespoke file searches, and the transmission of an entire directory compressed into a ZIP archive, similarly encoded in Base64. To articulate it differently, the operator secures not merely a communication conduit, but an almost fully-fledged, miniature toolkit for profound, interactive manipulation of the compromised system.

A secondary iteration of the TunnesshClient also exists, operating under a divergent paradigm: it erects a localized SSH server directly upon the victim’s machine, subsequently transmitting the requisite login and password to the operator via an HTTP POST request. Following this, it is capable of forwarding traffic directly to the localized SSH service. This particular specimen supports a more truncated command set, effectively reducing its functionality to mere proxying and localized SSH forwarding; nevertheless, for a malefactor, this is more than sufficient to cement their foothold and facilitate further manual lateral movement.

Throughout the entirety of this execution chain, investigators repeatedly observed distinct linguistic markers pointing toward the Russian language: annotations embedded within HTML, logs preserved within binaries, error diagnostics, and discrete infrastructural tells. While this confluence of evidence does not definitively guarantee the origin of the operator, it provides a compelling foundation to cautiously hypothesize a probable Russian-speaking development milieu, or, at the very least, the active participation of Russian-speaking individuals within the campaign.

The paramount threat posed by BoryptGrab stems not from a singular, exotic technique, but from its masterful orchestration of multiple, highly efficacious stratagems. The architects weaponize GitHub as both a storefront and an SEO lure, subvert the download trajectory via github.io, dynamically mint malicious ZIP archives, seamlessly alternate between VBScript, .NET, C/C++, and Go components, integrate sophisticated browser defense circumvention, sequester critical logic within encrypted resources, and, when deemed advantageous, deploy a backdoor armed with a reverse SSH tunnel. For the unwitting user, this catastrophe is inaugurated by a mundane desire to download a “free tool.” For the assailant, that solitary click culminates in the wholesale theft of passwords, cryptocurrency portfolios, and sensitive documents, culminating in the establishment of a permanent, clandestine remote dominion over the system.