Researchers at Arctic Wolf have uncovered a large-scale malware distribution campaign that used nearly 300 fake GitHub repositories to impersonate legitimate software, ranging from security products and cryptocurrency services to financial tools, developer utilities, secure email clients, macOS utilities, and gaming applications.

The company began investigating after discovering that one of its own products had been spoofed in the campaign, which appears to have started on June 26. In total, researchers identified 292 fraudulent repositories, each containing a README file with a link to a convincing download page featuring fake trust badges and a "Download Secure Content" button designed to lend an air of legitimacy.

Single Template, Many Disguises

Despite impersonating dozens of different brands, all the malicious landing pages relied on a single templated HTML/JS file. The page’s client-side script parses the URL into two segments: a rotating token that tracks the referring repository, and a second segment representing the spoofed brand name, which is rendered by converting hyphens to spaces and applying title case.

Each visit serves a ZIP archive whose name and payload contents change roughly every minute. Inside is a trojanized libcurl.dll alongside a legitimate, signed WinGUP updater renamed to match the impersonated product. When executed, the updater side-loads the malicious DLL, which decodes and reflectively executes an infostealer entirely in memory, a variant of the BoryptGrab family.

Broad Data Theft Capabilities

The stealer targets an extensive range of data, including:

  • Passwords, cookies, and payment data from more than 19 web browsers
  • Credentials from 32 cryptocurrency wallet brands
  • Telegram sessions, Discord tokens, and Steam session tokens
  • Credentials for Meta’s Max messaging application
  • Windows Credential Manager contents
  • Desktop and Documents files with names suggesting passwords, seed phrases, or backups
  • Screenshots, system information, and installed software lists

Notably, this BoryptGrab variant includes a previously undocumented technique to bypass Chrome’s App-Bound Encryption via direct code injection into the browser process. Stolen data is compressed and sent to a command-and-control server located in Russia.

No Persistence, But Forensic Traces Remain

Arctic Wolf noted the malware makes no attempt to establish persistence, instead aiming to harvest as much data as possible in a single run, and lacks any anti-analysis protections. The temporary staging directory used during exfiltration is left behind unwiped, providing forensic evidence for defenders.

By the time of the report, GitHub had removed a large share of the malicious repositories, though several dozen GitHub Pages redirectors remained active. Researchers could not attribute the campaign to a specific actor but assess it is likely operated by a financially motivated, Russian-speaking group. Arctic Wolf has published Yara rules and indicators of compromise and urges caution around unofficial GitHub download links.