ArcticWolf security researchers disclosed a campaign running approximately 300 fake GitHub repositories that impersonate legitimate software across multiple categories, using the repositories as distribution points for BoryptGrab — an infostealer variant with a previously undocumented method for bypassing Google Chrome’s App-Bound Encryption through direct code injection. The discovery began when ArcticWolf found its own product being impersonated within the fake repository network.
ArcticWolf’s Discovery: 300 Fake Repos Delivering BoryptGrab
The campaign operates through roughly 300 fabricated GitHub repositories constructed to impersonate legitimate security products, cryptocurrency services, financial tools, developer utilities, macOS applications, and gaming software. Each repository contains convincing README files that present the project as a real download, with links directing visitors to spoofed landing pages displaying fabricated trust badges designed to establish credibility. ArcticWolf researchers characterized the breadth and consistency of the fake repository network as reflecting sustained investment rather than opportunistic impersonation.
ArcticWolf’s research team first identified the campaign on June 26, 2026, when they discovered the company’s own security product had been replicated within the fake repository network. The July 14 disclosure represents the first public documentation of the campaign’s full scope and the capabilities of the BoryptGrab payload it delivers.
Attribution based on ArcticWolf’s analysis points to a likely Russian-speaking, financially motivated operator. No specific threat actor attribution was provided beyond that assessment.
The DLL Side-Loading Chain That Installs BoryptGrab in Memory
The attack chain begins when a victim visits a fake GitHub repository and follows one of the convincing download links to a spoofed landing page. The landing page presents a “Download Secure Content” button that delivers a ZIP archive. The archive contains two components: a legitimate copy of the WinGUP updater binary and a malicious DLL named libcurl.dll.
When the victim runs WinGUP, the DLL side-loading technique causes the process to load and execute libcurl.dll instead of the expected legitimate library. The malicious DLL then executes BoryptGrab entirely in memory through reflective loading — a technique that allows the malware to run without writing the payload to disk, avoiding file-based detection mechanisms that scan for known malicious binaries on the filesystem. The fileless execution approach means that on systems where endpoint detection relies primarily on file scanning rather than behavioral monitoring, BoryptGrab’s presence may not produce an immediate alert.
BoryptGrab’s Previously Undocumented Chrome App-Bound Encryption Bypass
The most significant capability ArcticWolf documented in BoryptGrab is a method for bypassing Google Chrome’s App-Bound Encryption — a security control Google introduced specifically to prevent credential-stealing malware from accessing saved passwords through the techniques that prior infostealers relied on.
App-Bound Encryption ties credential storage to the application that owns it, so that memory-dumping approaches used by traditional infostealers cannot extract Chrome-stored passwords because the data is encrypted to the browser process. BoryptGrab circumvents this protection through direct code injection into the Chrome process itself, allowing it to extract saved passwords and payment information from within Chrome’s own execution context rather than reading encrypted data from outside the process boundary. ArcticWolf described this as a previously undocumented bypass technique.
Data Targeted Across Browsers, Crypto Wallets, and Messaging Platforms
BoryptGrab’s credential theft scope extends beyond Chrome. The infostealer targets passwords and payment information from 19 browsers total. Its cryptocurrency theft capabilities cover seed phrases and private keys from 32 cryptocurrency wallet brands — a range that reflects the campaign’s financially motivated objective. Beyond credentials, BoryptGrab harvests Telegram sessions, Discord authentication tokens, and Steam credentials.
Additional data collection targets Windows Credential Manager contents, desktop and document files containing password-related terms, and screenshots and system reconnaissance data. The combined data collection profile — browser credentials, cryptocurrency wallet access, messaging platform sessions, and local credential stores — reflects a comprehensive sweep of the authentication material that provides ongoing financial and account access value to the operators.
The 19-browser and 32-wallet-brand scope of the collection targets means that BoryptGrab’s operator network gains access to victims regardless of which specific browser or wallet software the victim uses, reducing the attack’s dependence on any single software target. For organizations, the most immediate risk is the Chrome App-Bound Encryption bypass: if BoryptGrab’s technique is documented and adopted by the broader infostealer ecosystem, it would significantly degrade a browser security control that many organizations have treated as an effective credential protection layer.