AntiMalwareJuly 13, 2026🇷🇺Translated from Russian

Fake Telegram Proxy Repositories on GitHub Deliver Stealer Malware to Home Users Seeking to Bypass Restrictions

Home users searching for ways to bypass Telegram restrictions are falling victim to a new wave of malware distributed through GitHub and its mirror sites. Experts from Solar 4RAYS, part of GC Solar, have identified numerous fake repositories that appear in top positions of Russian search engine results and deliver information-stealing trojans instead of functional proxy tools.

Attackers have rapidly capitalized on increased demand for Telegram proxies. When legitimate repository links disappear from search results, malicious pages immediately occupy the freed space. Users encounter familiar names, polished descriptions, and seemingly authentic project pages, leading them to download what they believe is legitimate software.

The counterfeit repositories are crafted with considerable attention to detail. Fraudsters replicate the original README files, project layout, and even the donation information of genuine developers, making the deception difficult to detect at first glance. Once executed, the payloads—identified as Salat Stealer, Santa Stealer, and similar variants—harvest browser sessions, login credentials, and files of targeted formats.

How the Infection Works

The attack chain begins with users seeking proxy solutions to restore access to Telegram. Instead of obtaining working tools, they receive malware capable of extracting sensitive data that can be used for account hijacking and further fraud. The high level of trust placed in GitHub as a reputable hosting platform significantly increases the success rate of these campaigns.

While GitHub provides the infrastructure, the platform cannot always review the large volume of newly uploaded files in real time. This gap is actively exploited by threat actors who create convincing replicas of popular utilities.

Recommendations from Researchers

Security experts advise against downloading utilities automatically. Key red flags include:

  • A brand-new author account with no history
  • Absence of stars, forks, or issue reports
  • Lack of commit history or bug tracking
  • Explicit instructions to disable antivirus software before installation

Any of these signs should prompt users to avoid the repository entirely and seek verified sources through official channels.