HOMETHREATSBoryptGrab
APT / THREAT GROUP

BoryptGrab

2
aliases
Last seen:May 13, 2026

Intelligence Profile

According to Trend Micro, BoryptGrab is a C/C++ Windows stealer that exfiltrates browser credentials (with Chrome App Bound Encryption bypass), desktop and extension-based cryptocurrency wallets, Telegram data, Discord tokens, system information, screenshots, and selected files from common directories. It is delivered via SEO‑poisoned, fake GitHub repositories and multi‑stage loaders (DLL sideloading, VBS/.NET launchers, and a Golang downloader "HeaconLoad") that fetch it and related payloads from attacker servers (notably over HTTP on port 5466). BoryptGrab supports multiple "builds" (tracked via build names like CryptoByte, Shrek, Sonic, etc.), implements anti‑VM/anti‑analysis checks, and can download extra components such as obfuscated Vidar stealer variants and the TunnesshClient backdoor.

Threat Analysis

BoryptGrab is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

Intelligence Reports Mentioning BoryptGrab

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

win.boryptgrabBoryptGrab

External Intelligence

Malpedia: win.boryptgrab

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.