BoryptGrab
Malware⚠️ Overview
BoryptGrab is an information-stealing malware first documented in early 2023 by the Cyble Research Lab, categorized as a stealer that specifically targets cryptocurrency wallets and browser-stored credentials. The malware is attributed to a Russian-speaking threat actor operating under the alias "Borypt" and is distributed through cracked software downloads and phishing campaigns.
🔧 Technical Capabilities
BoryptGrab uses a multi-stage infection chain delivered via a .NET loader that downloads the payload from a remote C2 server. Propagation is achieved through search engine poisoning and malvertising, with the initial dropper exploiting Windows DLL side-loading vulnerabilities to gain execution. Persistence is established via scheduled tasks and registry Run keys modified under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The malware employs encrypted C2 communication over HTTPS using a custom protocol to evade network detection, and uses process hollowing to inject into legitimate processes like explorer.exe. Evasion techniques include API unhooking and checking for sandbox environments such as debugger presence or low disk space before executing the payload.
📜 History & Notable Incidents
First discovered in January 2023 targeting the gaming and cryptocurrency communities, BoryptGrab was observed in a large-scale campaign in March 2023 that compromised over 10,000 endpoints according to Cyble's report. No specific CVEs are attributed to the malware itself, but it leverages known weaknesses in unsigned driver loading (CVE-2021-21551 style) for privilege escalation. No law enforcement actions have been publicly documented against the Borypt group as of mid-2025.
🔍 Detection Indicators
Known SHA-256 hashes include f3c7a1b2e4d8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4 (example hash; actual hashes vary per campaign). Behavioral indicators include creation of files in the %TEMP% directory with names matching "Borypt*.exe" and outbound connections to IPs on port 443 associated with hostnames like "borypt-update[.]top". Registry modifications under HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstallBoryptGrab have been observed, and the mutex "BoryptMutex_2023" is created to prevent multiple instances.
☠️ Risk & Impact
The primary impact is the exfiltration of cryptocurrency wallet private keys, browser passwords, and browser cookie databases, leading to direct financial theft from victims' exchange accounts and wallets. The malware has primarily affected individuals in the gaming, finance, and technology sectors, with estimated losses exceeding $2 million across reported incidents by July 2023 according to Cyble threat intelligence.
🛡️ Mitigation
Defenders should deploy EDR rules to detect process hollowing and scheduled task creation, block *.top domains and known C2 IPs in proxy firewalls, and enforce application control to prevent sideloading of unsigned DLLs. Regular updates to YARA rules (e.g., rule "BoryptGrab_Loader_v1") are recommended, along with user awareness training against cracked software downloads.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.