Skip to main content
Emerging ThreatsMalware & Ransomware

GitHub Repos Impersonate Legit Software to Spread Infostealer Malware

Cluttered home office workspace with laptop screen glowing in dim light.

292 fake GitHub repositories posed as legitimate software and security projects and funneled visitors to malicious downloads, researchers at Arctic Wolf found after one of the firm's products was impersonated starting June 26.

Arctic Wolf's discovery and scope

Arctic Wolf identified a broad campaign that impersonated security products, cryptocurrency services, financial tools, developer utilities, secure email providers, macOS utilities, and gaming software. The researchers uncovered 292 impersonating repositories, each containing a README with a link to a malicious landing page. GitHub removed a large portion of the repositories, but Arctic Wolf reported that several dozen GitHub Pages redirectors remained active at the time of their report. The investigators could not attribute the campaign to a named actor, though they assess the operator is likely Russian-speaking and financially motivated.

Templated delivery pages and the redirect mechanics

Arctic Wolf found the campaign relied on “a single templated HTML/JS artifact reused across all impersonated brands.” The client-side script parses the URL path into two segments: path[0] is a user_code (a rotating path token such as yyvxx9rswefr) that tracks the referring repository or redirector, and path[1] is the referrer domain (for example, Arctic-Wolf[.]github.io). Visible branding on the landing page is derived from that second segment by replacing hyphens with spaces and applying title case. The landing pages used trust-inspiring elements such as a button labeled “Download Secure Content” and spoofed trust badges. In many cases the page served a large ZIP archive whose filename and payload changed roughly every minute.

Trojanized updater and in-memory execution

Inside the ZIP archives Arctic Wolf found a trojanized libcurl.dll alongside a legitimate, signed WinGUP updater that had been renamed to match the impersonated product. When the delivered executable runs as gup.exe, it side-loads the trojanized libcurl.dll. That DLL decodes and reflectively executes an embedded infostealer entirely in memory. Arctic Wolf reports the malware is not designed to establish persistence on the host; instead, it appears intended to collect as much data as possible in a single execution. The researchers also noted there is no anti-analysis layer, and the temporary directory used to stage collected data during exfiltration is not wiped, leaving forensic evidence behind.

BoryptGrab variant: what is taken and a new Chrome bypass

Arctic Wolf identifies the payload as a variant of the BoryptGrab family. The researchers list the targeted data as including: passwords, cookies, payment information and other data from 19 web browsers; data from 32 cryptocurrency wallet brands; Telegram sessions, Discord tokens, and Steam session tokens; credentials for Meta’s Max messaging application; contents of Windows Credential Manager; files on Desktop and in Documents whose names or extensions suggest passwords, recovery phrases, wallets, or backups; as well as screenshots, system details, and installed-software lists. Notably, Arctic Wolf observed that this BoryptGrab variant exhibits a previously undocumented capability to bypass Chrome’s App-Bound Encryption by performing direct code injection into the browser process. Stolen data is compressed before being sent to a Russia-based command-and-control (C2) server.

How security teams, end users, and open-source maintainers should respond

  • Security teams: Arctic Wolf shared a Yara rule and indicators of compromise (IoCs) associated with BoryptGrab; the researchers document the templated HTML/JS artifact, the rotating path token, the use of GitHub Pages redirectors, the large, frequently changing ZIP payloads, and the WinGUP side-loading of a trojanized libcurl.dll. These artifacts are the specific signals Arctic Wolf provides for detection and hunting.
  • End users: Arctic Wolf concludes the campaign’s success depends on users trusting “free downloads” of premium software tools. The firm explicitly recommends caution when interacting with unofficial GitHub pages that present download links, spoofed badges, or branding that mirrors known products.
  • Open-source maintainers: Because the impersonation leverages README download links and GitHub Pages redirectors, maintainers of legitimate projects should be aware that lookalike repositories can redirect traffic to templated malicious landing pages. Arctic Wolf’s finding that dozens of redirectors remained active after removals underscores the need to monitor for and report impersonating pages.

Arctic Wolf’s report ties a large, opportunistic impersonation campaign to a memory-resident infostealer that favors speed over stealth: no persistence, no evasion layers, but broad data collection and rapid exfiltration. The researchers provide concrete detection artifacts — a Yara rule and IoCs — and leave a clear behavioral pattern for defenders to hunt: templated GitHub redirectors, rotating download tokens, signed updaters used as loaders, and rapidly changing ZIP payloads. The campaign also raises a pointed question the report leaves unanswered: who is operating the infrastructure that funnels trust into a Russian-based C2? Arctic Wolf does not attribute the activity to a specific actor.

Original reporting: https://www.bleepingcomputer.com/news/security/nearly-300-github-repos-pose-as-legit-software-to-push-malware/