{"id":45522,"date":"2026-04-18T00:11:35","date_gmt":"2026-04-17T16:11:35","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/18\/new-cgrabber-and-direct-sys-malware-spread-through-github-zip-files\/"},"modified":"2026-04-18T00:11:35","modified_gmt":"2026-04-17T16:11:35","slug":"new-cgrabber-and-direct-sys-malware-spread-through-github-zip-files","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/18\/new-cgrabber-and-direct-sys-malware-spread-through-github-zip-files\/","title":{"rendered":"New CGrabber and Direct-Sys Malware Spread Through GitHub ZIP Files"},"content":{"rendered":"\n

Researchers at exposure management services provider Cyderes have discovered a clever new multi-stage malware campaign<\/a> that successfully bypasses antivirus software to drain data from unsuspecting users. The firm\u2019s research, shared with Hackread.com, reveals that the campaign relies on two brand-new malware families named Direct-Sys Loader and CGrabber Stealer.<\/p>\n

Malware Delivery via GitHub<\/strong><\/h3>\n

Cyderes\u2019 unit of elite cybersecurity researchers, Howler Cell Threat Research Team, found that the attack begins with ZIP archives<\/a> distributed through GitHub user attachment links. One recurring filename discovered was Eclipsyn.zip<\/code>. <\/p>\n

These archives contain a legitimate, Microsoft-signed program called Launcher_x64.exe<\/code>.  This trusted file is tricked into running a malicious component through DLL sideloading<\/a>, and the component is disguised as a dependency named msys-crypto-3.dll<\/code>. In the next phase of the attack, the Direct-Sys Loader begins its work.<\/p>\n

The blog post <\/a>reveals that this loader runs a series of checks to see if it is being monitored before doing anything. It then searches for 67 different security tools and also checks for virtual environments like VMware<\/a>, Hyper-V, or VirtualBox. <\/p>\n

If the loader detects a researcher\u2019s sandbox, it simply quits. As per researchers, the malware uses direct syscalls to communicate directly with the operating system kernel. This helps it remain undetected because it silently bypasses the usual security hooks that monitor for suspicious activity, making it a very effective tool for silent intrusion.<\/p>\n

CGrabber Data Theft<\/strong><\/h3>\n

After the loader confirms the system is undefended, it executes the final payload known as the CGrabber Stealer, which is responsible for stealing the data. And, it does a fairly good job by grabbing an enormous range of personal information across dozens of apps. <\/p>\n

CGrabber, reportedly, steals saved passwords, credit card info, and cookies from browsers like Chrome, Edge, Brave, and Firefox, and also targets private keys from over 150 crypto apps, including MetaMask, Exodus<\/a>, Coinbase<\/a>, and Binance. <\/p>\n

Even communication tools are not spared as the stealer obtains data from Telegram, Discord, Steam, and VPN services like NordVPN and ProtonVPN. Additionally, the stealer performs a CIS check (regional location check), and if the device is located in a country within the Commonwealth of Independent States, it immediately shuts down. Researchers noted that this is a common tactic threat actors use to avoid alerting law enforcement in those specific regions.<\/p>\n