Fort Worth 24

collapse
Home / Daily News Analysis / Threat actor impersonated hundreds of brands on GitHub to push infostealer malware

Threat actor impersonated hundreds of brands on GitHub to push infostealer malware

Jul 16, 2026  Twila Rosenbaum  3 views
Threat actor impersonated hundreds of brands on GitHub to push infostealer malware

In a large-scale social engineering and malware delivery campaign, a financially motivated threat actor has impersonated over 290 brands on GitHub, creating fake repositories that trick users into downloading a powerful information-stealing malware. The operation, uncovered by security firm Arctic Wolf, demonstrates the persistent and evolving threat of search engine optimization (SEO) poisoning combined with trusted platform abuse.

How the Attack Works

The threat actor registers multiple GitHub accounts and organizations to host repositories that mimic legitimate software projects from well-known companies. These fake repos feature README documents that contain concealed download links. Instead of directly linking to a malicious file, the attacker routes victims through a chain of redirections: first to a .github.io page, then to a threat-actor-controlled distribution domain, and finally to a fake 'secure download' page. The download page serves a large ZIP archive that regenerates its filename and payload roughly every 60 seconds, making detection and takedown more challenging.

The ZIP archive contains two files: a legitimate signed WinGUP updater (actually gup.exe, renamed to match the impersonated product) and a trojanized libcurl.dll. When the user executes the updater, it side-loads the malicious DLL, which decodes and reflectively executes an embedded infostealer entirely in memory. This technique, known as DLL side-loading, allows the malware to bypass many traditional security controls because the signed executable appears benign.

Capabilities of the Infostealer

The infostealer, which shares code with the previously documented BoryptGrab malware, is a pure 'smash-and-grab' implant. It performs no persistence, no virtual machine detection, and no process blocklisting. Instead, it executes once, collects as much data as possible, and exfiltrates everything to a command-and-control (C2) server hosted in Russia at IP address 193.143.1[.]131. The implant consists of 11 distinct modules that enable it to harvest:

  • System Information: OS details, installed software, hardware specs
  • Browser Credentials and Cookies: From Chrome, Edge, Brave, Yandex, Vivaldi, Chromium, Tor, Epic, Opera, Opera GX, and Firefox
  • Browser Extension Data: Local storage and config from popular cryptocurrency wallet extensions
  • Communication Tokens: Steam session tokens, Meta Max credentials, Discord tokens, Telegram sessions
  • File-Based Secrets: Files from Desktop and Documents folders with names containing 'password,' 'passwords,' 'seeds,' 'keys,' 'wallet,' 'backup,' or 'recovery'
  • Windows Credential Manager: All stored credentials

Notably, the malware leaves a forensic footprint: it stages collected data plus operational logs (browser_decryption.log, sends.log) in a temporary output folder that it does not delete after execution. Administrators can detect compromise by checking for this folder's presence.

Brands Impersonated and Target Victims

The 292 impersonated repositories span multiple sectors, including security tooling, fintech and personal finance, cryptocurrency wallets and exchanges, developer and productivity tools, secure email providers, macOS utilities, and gaming software, including 'cheat' tools. Among the impersonated brands was Arctic Wolf itself, which prompted the company's investigation. The attackers likely used automation to register throwaway accounts and organizations, and the language and hosting artifacts suggest a Russian-speaking operator.

The campaign began on June 26, 2026, and continues as of mid-July. Arctic Wolf notified GitHub, which removed the impersonated Arctic Wolf repository and many others, but the removal is reactive. The threat actor can quickly spin up new accounts at virtually no cost, making this a game of whack-a-mole.

Background on Infostealers and SEO Poisoning

Infostealers have become a cornerstone of cybercriminal operations, enabling everything from credential theft to ransomware initial access. The use of SEO poisoning to direct victims to malicious download pages is a technique that has grown in sophistication. In this campaign, the attacker optimized search results for popular brand names, so users searching for legitimate software like a wallet app or a security tool would find the fake GitHub repo near the top of search results. GitHub's high domain authority (github.com) lends credibility to these pages, making them appear trustworthy.

The DLL side-loading technique leverages Microsoft's WinGUP, a generic update utility often used by various applications. By bundling a renamed legitimate binary with a malicious DLL that matches the expected library name, the attacker ensures that the executable loads the malware without raising suspicion. This method has been used in previous campaigns, including those distributing the Bumblebee loader and various ransomware payloads.

The BoryptGrab connection suggests that the attacker may be part of a broader ecosystem of infostealer developers who share code or sell access to their malware. The smash-and-grab nature of this particular variant simplifies detection for incident responders but gives defenders a narrow window to respond before data is exfiltrated.

Recommendations for Defenders

Arctic Wolf advises organizations and individuals to source software only from vendor-verified channels. Treat any GitHub profile repository with a recent creation date, sparse commit history, and marketing-style README as suspicious by default. Spoofed trust badges and 'secure download' pages are easy to fabricate. The single most useful rule of thumb: legitimate installers do not require running an executable out of a ZIP archive, no matter whose name is on it.

If an infection is suspected, administrators should rotate all credentials, browser sessions, and cryptocurrency wallet keys for any host that executed a sample. Assume that browser-stored passwords, cookies, wallets, Discord tokens, Steam tokens, Telegram sessions, Meta Max credentials, and Windows Credential Manager entries are fully compromised. Check for the presence of the output folder left by the malware; if found, immediate containment is required.

GitHub and other code hosting platforms must improve their proactive detection of impersonation and malicious content. While reporting mechanisms exist, the speed of automated account creation combined with SEO poisoning means that users cannot solely rely on platform trust. Enhanced use of machine learning to detect patterns of fake repositories, such as identical README structures or unusual naming conventions, could reduce the window of exposure.

The financial motivation behind this campaign is clear: stolen credentials and cryptocurrency wallet keys have immediate monetary value on dark web markets. The attacker's decision to avoid persistence also suggests a volume-based approach, hoping to infect as many victims as possible in a short time before being disrupted. As long as such attacks remain profitable, they will continue.

This incident serves as a reminder that even well-known platforms like GitHub can be weaponized against users. In the absence of stronger proactive defenses, the burden falls on end users and security teams to verify the authenticity of downloads and to maintain a healthy skepticism toward search engine results. The Arctic Wolf researchers emphasize that no vulnerability in the impersonated software itself is being exploited; rather, it is the trust in brands and platforms that is being abused.

Indicators of compromise including the C2 IP address, file hashes, and a Yara rule have been published by Arctic Wolf to aid in detection. The malware's lack of anti-analysis features actually helps defenders, as the staged logs on disk can provide evidence of what was stolen. However, the rapid evolution of such attacks demands continuous vigilance and adaptation of security controls.


Source: Help Net Security News


Share:

Your experience on this site will be improved by allowing cookies Cookie Policy