BIP America

collapse
Home / Daily News Analysis / Threat actor impersonated hundreds of brands on GitHub to push infostealer malware

Threat actor impersonated hundreds of brands on GitHub to push infostealer malware

Jul 18, 2026  Twila Rosenbaum  2 views
Threat actor impersonated hundreds of brands on GitHub to push infostealer malware

A sophisticated and financially motivated threat actor has been impersonating hundreds of well-known brands on GitHub to distribute a smash-and-grab infostealer masquerading as legitimate software downloads. Arctic Wolf threat researchers discovered the campaign after noticing a repository pretending to be their own company. Their investigation revealed 292 impersonated repositories spanning a wide range of categories, including security tools, fintech and personal finance apps, cryptocurrency wallets and exchanges, developer productivity tools, secure email providers, macOS utilities, and gaming software including cheat tools.

How the Attack Works

Potential victims are directed to these malicious GitHub pages through SEO-optimized search engine results. Each repository hosts a README file that contains a concealed download link. This link routes the victim through a .github.io page and then to a threat-actor-controlled distribution domain, which presents a fake secure download page. The page serves a large ZIP archive that regenerates its filename and payload roughly every 60 seconds, making detection more difficult. Inside the archive, there is a legitimate signed WinGUP updater (actually gup.exe, renamed to match the impersonated product) and a trojanized libcurl.dll.

When the user runs the executable, gup.exe side-loads the malicious libcurl.dll. This DLL then decodes and reflectively executes an embedded Windows infostealer entirely in memory, leaving no traces on disk other than the payload itself. The infostealer shares its codebase with the previously documented BoryptGrab malware and features 11 modules capable of extracting a vast array of sensitive data.

Data Collected by the Infostealer

  • System information and installed software details
  • Credentials and cookies from multiple browsers: Chrome, Edge, Brave, Yandex, Vivaldi, Chromium, Tor, Epic, Opera, Opera GX, and Firefox
  • Local storage and configuration data from installed browser extensions, including numerous cryptocurrency wallet extensions
  • Steam session tokens, Meta Max credentials, Discord tokens, and Telegram data
  • Files from Desktop and Documents folders containing names like “password,” “passwords,” “seeds,” “keys,” “wallet,” “backup,” and “recovery”
  • Credentials stored in the Windows Credential Manager

All collected data is exfiltrated to a command-and-control (C2) server hosted in Russia, with the hardcoded IP address 193.143.1[.]131. The malware does not register any Run keys, scheduled tasks, or Windows Defender exclusions. It also lacks virtual machine detection, debugger detection, or process name blocklisting. “The implant is a pure ‘smash-and-grab’ infostealer: one execution, all data collected and exfiltrated, no foothold established,” Arctic Wolf researchers noted. However, the malware stages all collected data plus its own operational logs (browser_decryption.log, sends.log) to a temporary output folder and does not delete that folder afterward, leaving a recoverable forensic footprint on disk.

Detection and Remediation

Users and administrators can check for the presence of this temporary folder; if it exists, the system has been compromised. Arctic Wolf advises rotating credentials, browser sessions, and cryptocurrency wallet keys for any host that executed a sample. They also recommend assuming that browser-stored passwords, cookies, wallets, Discord tokens, Steam tokens, Telegram sessions, Meta Max credentials, and Windows Credential Manager entries are fully compromised.

Researchers emphasized that the impersonated vendors are not at fault—the threat actor is not exploiting any software vulnerability. Instead, they are abusing the trust users place in search engine results and the Microsoft-owned GitHub hosting service. The attacker likely uses automation to register throwaway accounts and organizations, generating fake download pages, README files, and GitHub.io redirector accounts. Language and hosting artifacts suggest a Russian-speaking operator, though no connection to a known threat group has been established.

The campaign began on June 26, 2026, and continues to be active. Arctic Wolf reported the fake “Arctic Wolf” page to GitHub, which promptly removed it, and GitHub has taken down a substantial portion of the flagged malicious repositories. However, removal is reactive, and the low cost of creating new accounts means the attacker can easily spin up new campaigns.

Broader Context and Analysis

This campaign is part of a larger trend where threat actors exploit trusted platforms like GitHub to deliver malware. By impersonating reputable brands, they increase the likelihood that victims will trust the download. The use of SEO poisoning to drive traffic highlights the importance of verifying search results, especially for software downloads. DLL side-loading is a common technique that leverages legitimate executables to load malicious libraries, bypassing security controls. The BoryptGrab codebase is known for its modular design and efficiency in stealing data, and this variant continues that tradition.

Arctic Wolf recommends that users source software only from vendor-verified channels and treat any .github profile repository with a recent creation date, sparse commit history, and marketing-style README as suspicious by default. Spoofed trust badges and secure download pages are easy to fabricate and prove nothing. The most useful rule of thumb: legitimate installers do not require running an executable out of a ZIP archive, no matter whose name is on it.

Organizations should also implement application control policies to prevent unauthorized executables from running, monitor for unusual outbound connections, and educate employees about the dangers of downloading software from unverified sources. The forensic footprint left by this infostealer can be used to detect compromises, and security teams should include checks for the temporary output folder in their incident response procedures.


Source: Help Net Security News


Share:

Your experience on this site will be improved by allowing cookies Cookie Policy