New CGrabber and Direct-Sys Malware Spread Through GitHub ZIP Files

GitHub has become an attractive launchpad for threat actors seeking to piggyback on the platform’s reputation for legitimate code sharing. By embedding malicious DLLs in seemingly benign ZIP archives, attackers exploit DLL sideloading—a technique that tricks signed executables into loading hostile libraries. Direct‑Sys Loader further hardens its foothold with direct system calls, sidestepping the user‑mode hooks that most endpoint protection products monitor. This combination of supply‑chain deception and kernel‑level evasion marks a notable evolution in malware delivery, blurring the line between development tools and attack vectors.

The CGrabber stealer amplifies the campaign’s impact by targeting a broad spectrum of high‑value data. It extracts saved credentials from major browsers, siphons private keys from over 150 cryptocurrency wallets, and harvests tokens from communication platforms such as Telegram and Discord. By encrypting exfiltrated payloads with ChaCha20 and using custom HTTP headers, the malware evades network‑based detection and ensures that stolen data reaches command‑and‑control servers securely. For organizations, the breadth of compromised assets—from VPN accounts to crypto holdings—poses both operational disruption and regulatory compliance risks.

Mitigating this threat requires a layered approach beyond traditional antivirus. Security teams should enforce strict download policies for archives originating from code repositories, employ behavioral analytics to spot anomalous DLL loading, and monitor for the absence of expected sandbox artifacts. Threat‑intelligence feeds that flag emerging families like Direct‑Sys and CGrabber can accelerate response times. As attackers continue to weaponize trusted platforms, organizations must prioritize secure software‑supply‑chain practices and continuous endpoint visibility to stay ahead of these sophisticated evasion techniques.