BoryptGrab Stealer
BoryptGrab is a sophisticated information-stealing malware designed to harvest sensitive data from compromised systems. The threat primarily spreads through fraudulent GitHub repositories and deceptive download pages that promote free software tools. These malicious pages are crafted to appear legitimate, increasing the likelihood that unsuspecting users will download and execute the infected files.
In certain attack chains, BoryptGrab also delivers an additional malicious component known as TunnesshClient, a backdoor that enables remote access and further exploitation of the infected device. Once detected on a system, BoryptGrab or any related threat must be removed immediately to prevent additional data theft or system compromise.
Table of Contents
Evasion Techniques and Privilege Escalation
Before initiating its main payload, BoryptGrab performs several checks designed to evade security researchers and automated analysis environments. The malware inspects system files and configuration settings to determine whether it is running inside a virtual machine. Such environments are commonly used by security analysts, and detecting them allows the malware to alter its behavior or halt execution.
In addition to virtual machine detection, the malware scans active processes to identify known analysis or debugging tools. If these tools are detected, the malicious activity may be suppressed to avoid exposure. Another important step in the infection process involves attempts to obtain administrative privileges, allowing the malware to access protected system areas and extract a wider range of sensitive information.
Browser Data Harvesting Capabilities
A primary objective of BoryptGrab is the collection of sensitive information stored in web browsers. The malware targets numerous widely used browsers, including Brave Browser, CentBrowser, Chromium, Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, Vivaldi, and Yandex Browser.
The types of information extracted from these browsers typically include login credentials, autofill data, browsing history, and other stored personal data. To assist in this process, BoryptGrab downloads a specialized Chromium-based tool that enables efficient extraction of browser data. This significantly increases the volume of information that can be stolen from a compromised system.
Cryptocurrency Wallets Under Attack
Cryptocurrency assets are another major target of BoryptGrab. The malware searches for locally stored data related to desktop cryptocurrency wallets and browser extensions associated with digital asset management. By extracting wallet data, attackers may gain the ability to access or transfer stored funds.
The malware specifically targets a wide range of wallet applications and related services, including:
- Armory Wallet
- Atomic
- AtomicDEX
- Binance
- Bitcoin Core
- BitPay
- Blockstream Green
- Chia Wallet
- Coinomi
- Copay
- Daedalus Mainnet
- Dash Core
- Dogecoin
- Electron Cash
- Electrum
- ElectrumLTC
- Ethereum
- Exodus
- GreenAddress
- Guarda
- Jaxx Desktop
- Komodo Wallet
- Ledger Live
- Ledger Wallet
- Litecoin Core
- MEW Desktop
- MultiDoge
- MyEtherWallet
- NOW Wallet
- Raven Core
- StakeCube
- Trezor Suite
- Wasabi Wallet
The presence of such an extensive list highlights the malware’s strong focus on financial theft.
Expanded Data Collection and Exfiltration
Beyond browsers and cryptocurrency wallets, BoryptGrab gathers additional data from the infected system. The malware searches common directories for files with specific extensions that may contain valuable information. Messaging applications and other communication platforms are also targeted.
The collected data may include Telegram files, stored browser passwords, and, in newer variants of the malware, Discord authentication tokens. After completing the data collection phase, BoryptGrab captures a screenshot of the victim’s desktop and compiles general system information about the compromised machine. All harvested data is then compressed into an archive and transmitted to a server controlled by the attackers.
TunnesshClient Backdoor: Remote Control and Traffic Tunneling
Some versions of BoryptGrab deploy an additional malicious tool known as TunnesshClient, although this feature is not present in every variant. TunnesshClient is a Python-based backdoor that provides attackers with remote command execution capabilities.
Through this backdoor, cybercriminals can issue commands directly to the infected system. The tool also enables network traffic forwarding through a reverse SSH connection, allowing attackers to route internet activity through the compromised device. This functionality may be used to hide malicious operations, conduct further attacks, or maintain long-term persistence within the victim’s network.
Consequences of a BoryptGrab Infection
A successful BoryptGrab compromise can lead to severe consequences for victims. The stolen information often includes credentials, personal data, and cryptocurrency wallet details, which may be immediately exploited by cybercriminals.
Common impacts of such an attack include:
- Financial losses resulting from stolen cryptocurrency or compromised financial accounts
- Identity theft due to leaked personal or authentication data
- Hijacked online accounts such as email, social media, or messaging platforms
- Secondary infections delivered through additional malware components
Given these risks, immediate removal of the malware from infected devices is essential to limit further damage.
Infection Vector: Malicious GitHub Pages and Fake Software Downloads
The distribution strategy behind BoryptGrab relies heavily on social engineering and manipulation of trusted development platforms. Cybercriminals create public GitHub repositories that appear to host legitimate software projects. These repositories often contain documentation, files, and descriptions designed to mimic authentic tools.
To maximize visibility, attackers use search engine optimization techniques to push their malicious repositories and GitHub Pages higher in search results. Users searching for software utilities, cracked programs, or gaming tools may therefore encounter these malicious pages near the top of search results.
Once a repository is opened, users are typically redirected to a professionally designed website that imitates an authentic software download page. These pages frequently advertise gaming cheats, cracked programs, FPS boosters, or utilities claiming to modify or download applications such as Filmora or Voicemod.
The site ultimately provides a ZIP archive that pretends to contain the software installer. When the archive is downloaded and the included files are executed, the malicious payload is activated and the BoryptGrab infection process begins.
