```html ``` Arctic Wolf Found 292 Fake GitHub Repos Pushing an Infostealer — One Impersonating Arctic Wolf Itself. We Didn't Catch the Campaign. We Had Its Exfil Server in Our Feed in May.
top of page

Arctic Wolf Found 292 Fake GitHub Repos Pushing an Infostealer — One Impersonating Arctic Wolf Itself. We Didn't Catch the Campaign. We Had Its Exfil Server in Our Feed in May.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 3 hours ago
  • 5 min read

Arctic Wolf Labs published a good piece of primary research this week. Their team documented a threat actor running at least 292 fake GitHub repositories, each impersonating a trusted brand, each a lure to install an in-memory infostealer. The list of impersonated brands spans security tooling, fintech, crypto wallets, developer tools, secure email, macOS utilities, and gaming — and in a detail you could not make up, one of the fake pages impersonated Arctic Wolf itself. The researchers who exposed the campaign were one of the brands it wore as a mask.


That is their find, start to finish, and this post credits it as theirs. We did not discover this campaign. What we did do, when we ran their indicators against our feed, is find something worth telling you honestly — because the honest version is more useful than the version where we pretend we scooped anyone.



What Arctic Wolf Had That We Did Not


Let us be precise about the division of labor, because precision is the whole point.


Arctic Wolf did the repository hunt. They found the 292 fake repos, the roughly 78 GitHub.io redirector pages, and the twenty-odd actor-controlled distribution domains. They identified the delivery mechanism: a marketing-styled README hiding a download link that routes a victim to a "secure download" page, which serves a ZIP that regenerates its filename and payload about every sixty seconds. They took apart the execution chain — a legitimate, signed WinGUP updater that side-loads a trojanized libcurl.dll, which reflectively runs the stealer entirely in memory. And they did the binary-level work to confirm the payload is the same family as a previously documented stealer called BoryptGrab.


We had none of that. We did not have the campaign, the repo list, the distribution domain targetroyena dot com, the file hashes, or the BoryptGrab family name. Zero of it was in our corpus before Arctic Wolf published. If you want to know how those 292 repos worked and what the stealer grabs, you read their report, and you should.



What We Had That Turned Out to Matter


Here is the other half. The stealer, once it has raided a victim, ships the loot to a hardcoded command-and-control server: 193.143.1.131, a box on Proton66 in Russia — a host repeatedly tied to malware operations.


That IP has been in our feed since May 20, flagged as a malicious server by SSLBL, and independently again by ThreatFox on May 26 and by community reporting on May 23. The entire surrounding network block — 193.143.1.0/24 — has been in our blocklist since February 16, carried in from a Spamhaus DROP listing. So the exfiltration destination of a campaign Arctic Wolf named on the fifteenth of July was sitting in our indicators eight weeks earlier as a single IP, and five months earlier as a network range.


We did not know it belonged to this campaign. We could not have — the campaign did not have a name yet. That is exactly the point.



Why the Infrastructure Was Burned Before the Campaign Existed


The actor did not stand up fresh infrastructure for the brand-impersonation operation. They reused a Proton66 box that was already dirty — already serving something bad enough in May to get flagged by three independent sources as a malware server. When they built the infostealer campaign in late June, they pointed its exfil at a machine that was, from our feed's point of view, already condemned.


This is the whole thesis of defending the door instead of the actor. We do not need to know who is attacking or what they have named their campaign to know that a specific Russian box on a specific bulletproof-adjacent host has no legitimate reason to receive data from your developers' machines. The attribution — the actor, the family, the 292 repos — is Arctic Wolf's craft, and it is real craft. The infrastructure was ours to block months before any of that attribution existed, because attackers are cheap and they reuse their servers, and a server that was malicious in May is usually still malicious in July.



The Honest Part We Will Not Skip


There is a catch, and skipping it would make this a marketing document instead of a threat report. That IP is not in our enforced blocklist today. Our feed runs on a rolling window — indicators age out after a week so the enforced set stays small and current and under our provider's cap. An IP flagged in May, if nothing re-asserts it, lapses out of active blocking by summer. So a shop running our edge feed in May was refusing connections to that exfil server. A shop running it cold this morning was not, until we re-add it.


Which is precisely what a fresh disclosure like Arctic Wolf's is for. Their report is a confirmation, on the fifteenth of July, that 193.143.1.131 is live campaign infrastructure right now. That is the human-gated signal our doctrine waits for before re-asserting an aged-out indicator — and re-asserting it, along with the /24, is the obvious next move on the back of their work. A fast-expiring feed is a deliberate tradeoff: it blocks what is hot and lets old infrastructure lapse, and it depends on exactly this kind of signal to bring a lapsed threat back to the front.



Two Halves of One Picture


Neither shop had the whole thing. Arctic Wolf had the campaign and the craft — the naming, the family, the repo network, the execution chain — and none of the early infrastructure history. We had the infrastructure early and none of the campaign. Put the two together and you get the complete picture: a burned Russian host that our feed condemned in the winter, rented again in the summer to exfiltrate credentials from victims lured through 292 fake repos that Arctic Wolf mapped in July.


That is how this is supposed to work. They did the primary research; we are crediting it by name and pointing our readers at it. If the currency of this industry is attribution, theirs is the byline on this campaign, full stop. Ours is the quieter receipt underneath it: the door was already shut once, on infrastructure the attacker was too cheap to replace, and it can be shut again on a day's notice — because somebody did the work of naming what was behind it.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


bottom of page