216.73.217.6

GitHub Impersonation Deploys Information Stealer

· Published 02/07/2026 18:15

Export JSON

Essential information

Published
02/07/2026 18:15
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
boryptgrab boryptgrab stealer dll side-loading fake repositories github impersonation information stealer seo poisoning social engineering
Related entities
4 indicators, 4 observables, 18 techniques (mitre), 1 malware

Description

An internal security operations team identified a fraudulent GitHub page impersonating a cybersecurity vendor to target customers and the general public. The malicious page appeared legitimate by referencing authentic services and operational requirements. While the GitHub page itself contained non-malicious content, a disguised link led victims to download a ZIP archive containing malicious executables. The attack chain deployed BoryptGrab Stealer information-stealing malware through techniques. Investigation revealed nearly 300 similar repositories impersonating well-known organizations including Malwarebytes, Bitdefender, and 360 Total Security, using SEO keywords to attract victims. The malicious page has been removed and detection capabilities have been enhanced.

External references