BoryptGrab
Intelligence Profile
According to Trend Micro, BoryptGrab is a C/C++ Windows stealer that exfiltrates browser credentials (with Chrome App Bound Encryption bypass), desktop and extension-based cryptocurrency wallets, Telegram data, Discord tokens, system information, screenshots, and selected files from common directories. It is delivered via SEO‑poisoned, fake GitHub repositories and multi‑stage loaders (DLL sideloading, VBS/.NET launchers, and a Golang downloader "HeaconLoad") that fetch it and related payloads from attacker servers (notably over HTTP on port 5466). BoryptGrab supports multiple "builds" (tracked via build names like CryptoByte, Shrek, Sonic, etc.), implements anti‑VM/anti‑analysis checks, and can download extra components such as obfuscated Vidar stealer variants and the TunnesshClient backdoor.
Threat Analysis
BoryptGrab is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.