GitHub Malware Campaign "BoryptGrab" Uses SEO to Steal Browser and Wallet Data

Cybersecurity researchers at Trend Micro have uncovered a sophisticated Windows-based malware campaign dubbed BoryptGrab. The campaign leverages search engine optimization (SEO) and the trusted infrastructure of GitHub to distribute info-stealers capable of bypassing modern browser security features.

Contents

The Infection Chain: SEO Manipulation on GitHub
Capabilities: Bypassing Chrome’s App-Bound Encryption

Technical Highlights:

The Growing Use of GitHub in Cyberattacks
Recommendations for Enterprises

The Infection Chain: SEO Manipulation on GitHub

Unlike traditional phishing campaigns that rely on email, BoryptGrab reaches victims through “search poisoning.” Attackers created over 100 public GitHub repositories posing as legitimate free software, gaming cheats, and utility tools.

SEO-Heavy READMEs: The repositories use keyword-rich README files to rank highly in Google Search results.
Deceptive Downloads: In one instance, a fake “Voicemod Pro” repository appeared directly below the official result, leading users to a ZIP file containing the malware.
The Lure: ZIP files are typically themed around cracked software or “Pro” versions of popular utilities to entice downloads.

Capabilities: Bypassing Chrome’s App-Bound Encryption

Trend Micro’s analysis reveals that BoryptGrab is specifically designed to harvest sensitive information from nine different browsers, including Google Chrome, Microsoft Edge, Brave, and Opera.

Technical Highlights:

The Growing Use of GitHub in Cyberattacks

This discovery follows a similar trend noted by Microsoft Threat Intelligence in early 2025, where a malvertising campaign affected nearly one million devices by redirecting users to GitHub.

While GitHub’s policy strictly prohibits the delivery of malicious executables, the platform’s openness makes it a prime target for attackers looking to exploit its high domain authority in search rankings.

Browser Targets	Security Protections Targeted	Delivery Method
Chrome, Edge, Firefox	Chrome App-Bound Encryption	GitHub SEO Poisoning
Brave, Vivaldi, Opera	Windows Registry Persistence	Deceptive ZIP files
Chromium, Yandex	Reverse SSH Tunnels	Fake “Cracked” Software

Recommendations for Enterprises

To mitigate the risk of BoryptGrab and similar SEO-driven campaigns, organizations should follow CIS Controls:

Software Inventory: Maintain an active list of authorized software.
Application Allowlisting: Restrict the execution of unauthorized .exe or .zip files from unverified sources.
Report Abuse: Use GitHub’s in-product reporting tools to flag suspicious repositories immediately.

Also Read :Discord Outage 2026: Global Messaging Crisis for Millions

Shree Securities Board Approves Q1-Q3 FY26 Results, Signals Strong Recovery

The 5 Best Free VPNs for India in 2026: Safe, Fast, and Secure

January 2026 Recap: 7 Major Data Breaches You Missed

The “Fog of War” in Cybersecurity: Why Incident Response Fails When It Counts

Copilot AI Adoption Slips to 11.5% as Competition Heats Up for Microsoft

GitHub Malware Campaign “BoryptGrab” Uses SEO to Steal Browser and Wallet Data

Adobe CEO Shantanu Narayen to Step Down Amid AI Disruption; Shares Slump

Google Closes $32 Billion Wiz Acquisition: Founders and Investors Net Record Returns

Discord Outage 2026: Global Messaging Crisis for Millions