New CGrabber and Direct-Sys Malware Spread Through GitHub ZIP Files

Summary

Cyderes researchers discovered a multi-stage malware campaign distributing CGrabber Stealer and Direct-Sys Loader through GitHub ZIP archives. The attack uses DLL sideloading with a legitimate Microsoft-signed executable to bypass antivirus, employs direct syscalls to evade security hooks, and includes checks for 67 security tools and virtual environments. CGrabber steals passwords, credit cards, and private keys from 150+ crypto apps, browsers, and communication platforms, with data encrypted via ChaCha20 before exfiltration.

Full text

Security MalwareNew CGrabber and Direct-Sys Malware Spread Through GitHub ZIP Files Hackers spread CGrabber and Direct-Sys malware through GitHub ZIP files, bypassing security tools to steal passwords, crypto wallets, and user data. byDeeba AhmedApril 17, 20262 minute read Researchers at exposure management services provider Cyderes have discovered a clever new multi-stage malware campaign that successfully bypasses antivirus software to drain data from unsuspecting users. The firm’s research, shared with Hackread.com, reveals that the campaign relies on two brand-new malware families named Direct-Sys Loader and CGrabber Stealer. Malware Delivery via GitHub Cyderes’ unit of elite cybersecurity researchers, Howler Cell Threat Research Team, found that the attack begins with ZIP archives distributed through GitHub user attachment links. One recurring filename discovered was Eclipsyn.zip. These archives contain a legitimate, Microsoft-signed program called Launcher_x64.exe. This trusted file is tricked into running a malicious component through DLL sideloading, and the component is disguised as a dependency named msys-crypto-3.dll. In the next phase of the attack, the Direct-Sys Loader begins its work. The blog post reveals that this loader runs a series of checks to see if it is being monitored before doing anything. It then searches for 67 different security tools and also checks for virtual environments like VMware, Hyper-V, or VirtualBox. If the loader detects a researcher’s sandbox, it simply quits. As per researchers, the malware uses direct syscalls to communicate directly with the operating system kernel. This helps it remain undetected because it silently bypasses the usual security hooks that monitor for suspicious activity, making it a very effective tool for silent intrusion. CGrabber Data Theft After the loader confirms the system is undefended, it executes the final payload known as the CGrabber Stealer, which is responsible for stealing the data. And, it does a fairly good job by grabbing an enormous range of personal information across dozens of apps. CGrabber, reportedly, steals saved passwords, credit card info, and cookies from browsers like Chrome, Edge, Brave, and Firefox, and also targets private keys from over 150 crypto apps, including MetaMask, Exodus, Coinbase, and Binance. Even communication tools are not spared as the stealer obtains data from Telegram, Discord, Steam, and VPN services like NordVPN and ProtonVPN. Additionally, the stealer performs a CIS check (regional location check), and if the device is located in a country within the Commonwealth of Independent States, it immediately shuts down. Researchers noted that this is a common tactic threat actors use to avoid alerting law enforcement in those specific regions. Attack Overview (Source: Cyderes) Advanced Evasion The level of discipline shown in this campaign is incredibly high, given that all stolen data is encrypted using the ChaCha20 algorithm before sending it to their servers. Because the malware uses custom web headers like X-Auth-Token, it can easily pass through network filters. This research into the new threat was shared exclusively with Hackread.com. The best way to stay safe is to be wary of any ZIP file from GitHub and to monitor your system for strange files appearing in folders you didn’t create. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts CGrabberCyber AttackCybersecurityDevelopersDirect-SysGitHubMalware Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Cyber Attacks 13.5M Device Botnet Drives 2 Tbps DDoS Attacks on FinTech, Qrator Finds A new Qrator Labs report reveals that the largest DDoS botnet has grown to 13.5 million devices, and… byDeeba Ahmed Security Malware New malware attack turns Elasticsearch databases into DDoS botnet The malware attack involves two stages including one in which existing cryptomining malware is removed and other remove configuration files. byUzair Amir Read More Security Malware Hackers Impersonate Taiwan’s Tax Authority to Deploy Winos 4.0 Malware FortiGuard Labs discovers Winos 4.0 malware targeting Taiwan via phishing. Learn how this advanced threat steals data and… byDeeba Ahmed Read More Security Cyber Crime Phishing Scam Chinese Groups Stole 115 Million US Cards in 16-Month Smishing Campaign A SecAlliance report reveals Chinese smishing syndicates compromised 115M US payment cards by bypassing MFA to exploit Apple Pay and Google Wallet. byDeeba Ahmed

Indicators of Compromise

• malware — CGrabber Stealer
• malware — Direct-Sys Loader
• malware — Launcher_x64.exe
• malware — msys-crypto-3.dll
• malware — Eclipsyn.zip

Entities