GitHub Impersonation Deploys Information Stealer
Essential information
- Published
- 02/07/2026 18:15
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- boryptgrab boryptgrab stealer dll side-loading fake repositories github impersonation information stealer seo poisoning social engineering
- Related entities
- 4 indicators, 4 observables, 18 techniques (mitre), 1 malware
Description
An internal security operations team identified a fraudulent GitHub page impersonating a cybersecurity vendor to target customers and the general public. The malicious page appeared legitimate by referencing authentic services and operational requirements. While the GitHub page itself contained non-malicious content, a disguised link led victims to download a ZIP archive containing malicious executables. The attack chain deployed BoryptGrab Stealer information-stealing malware through DLL side-loading techniques. Investigation revealed nearly 300 similar repositories impersonating well-known organizations including Malwarebytes, Bitdefender, and 360 Total Security, using SEO keywords to attract victims. The malicious page has been removed and detection capabilities have been enhanced.