Impersonated Software Downloads Used to Deliver Malware via Lookalike Repos and Domains
Threat actors are abusing software-brand impersonation to trick users into installing malware from fake distribution points, relying on social engineering rather than software exploits. Datadog reported an active campaign using fake GitHub repositories that impersonate established technology companies and leverage the ClickFix technique—prompting victims to copy/paste commands into Terminal (macOS) or PowerShell/Run (Windows)—to install infostealers. Datadog observed iterative updates to the MacSync lure and a new macOS infostealer variant self-branded as “SHub Stealer v2.0”, with expanded capabilities including persistence and remote access, alongside anti-analysis/evasion features intended to hinder detection and track infection outcomes; Datadog also assessed signs the actor is expanding toward Windows infostealer functionality.
Separately, Malwarebytes documented a lookalike 7-Zip download site (7zip[.]com, impersonating the legitimate 7-zip.org) distributing a trojanized installer that installs a working 7-Zip File Manager while silently converting infected Windows systems into residential proxy nodes. The installer was Authenticode-signed with a certificate issued to Jozeal Network Technology Co., Limited (now revoked), and it dropped additional components—Uphero.exe (service manager/update loader), hero.exe (Go-compiled proxy payload), and hero.dll—under C:\Windows\SysWOW64\hero\; one reported case surfaced via Microsoft Defender detection Trojan:Win32/Malgent!MSR after the system had been exposed for an extended period. Together, the reporting highlights a sustained risk from trusted-brand impersonation and “looks legitimate” installers/repositories that deliver credential theft or monetize endpoints via proxyware.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
IOCs published and GitHub abuse reported for takedown
Researchers published indicators of compromise for the fake 7-Zip campaign, including file hashes, domains, and Cloudflare-fronted IP addresses, and advised treating systems that ran installers from 7zip[.]com as compromised. Separately, Datadog reported the impersonating GitHub repositories and staging pages involved in the ClickFix campaign to GitHub for takedown.
MacSync malware updated and SHub Stealer v2.0 emerged
Datadog observed the campaign's tooling evolve, including updates to the MacSync macOS infostealer and the appearance of a more capable variant calling itself SHub Stealer v2.0. SHub added persistence, remote command execution, broader enterprise file targeting, and improved wallet-extension theft capabilities.
Fake GitHub repos used to deliver ClickFix-based infostealer campaign
An active campaign used fake GitHub repositories impersonating well-known software companies to lure victims into ClickFix infection flows. Victims were socially engineered into pasting commands into Terminal on macOS or PowerShell/Run on Windows, with GitHub Pages staging sites handling OS detection, fingerprinting, and redirection.
Researchers linked fake 7-Zip malware to broader upStage Proxy operation
Analysis of the trojanized 7-Zip installer connected the activity to a wider proxyware operation referred to as upStage Proxy, with related binaries impersonating other brands. Researchers documented the malware's persistence, firewall manipulation, host profiling, and C2 communications over TLS, DNS-over-HTTPS, and an XOR-obfuscated protocol.
Trojanized 7-Zip installer distributed via lookalike 7zip.com site
A fake 7-Zip website, 7zip[.]com, began distributing a trojanized installer that provided expected 7-Zip functionality while covertly installing proxyware. The campaign relied on user trust and misdirected links, including YouTube tutorials pointing users to the fake domain instead of the legitimate 7-zip.org.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
SEO Poisoning and Fake Software Downloads Used to Deliver Credential Theft and RAT Malware
Threat actors are using **software impersonation** and **SEO poisoning** to push victims toward fake download sites for trusted enterprise and IT tools, then delivering malware through trojanized installers. In one campaign, **Storm-2561** used spoofed VPN vendor pages for products such as **Pulse Secure, Fortinet, and Ivanti** to steal enterprise VPN credentials. The malicious packages were hosted on GitHub, signed with a certificate issued to **"Taiyuan Lihua Near Information Technology Co., Ltd."**, and designed to show an error before redirecting victims to the legitimate vendor site, reducing suspicion while exfiltrating credentials. A separate but closely related campaign used fake **FileZilla** download pages to distribute a **Remote Access Trojan** through multi-stage loaders and **DLL sideloading**. Attackers bundled legitimate FileZilla software with a malicious `version.dll`, or dropped the DLL during installation so the malware would execute while the expected application appeared to install normally. Both reports describe the same broader intrusion pattern: adversaries abusing trusted brands, realistic lookalike websites, and legitimate software packaging to compromise users who believe they are downloading authentic tools. A separate **Warlock** intrusion analysis describing web shells, lateral movement, tunneling, and ransomware activity is a different incident and does not match this malware-delivery story.
Apr 26, 2026
Phishing and software impersonation campaigns delivering malware via trusted services
Microsoft reported ongoing **OAuth abuse** campaigns targeting government and public-sector organizations, where phishing emails lure users into clicking links that leverage legitimate identity-provider redirect behavior (e.g., **Microsoft Entra ID** and other OAuth providers) to send victims to attacker-controlled pages for malware delivery and potential device takeover. Lures included e-signature requests, Teams meeting recordings, Microsoft 365 password resets, and political themes; Microsoft said it disabled identified malicious OAuth applications but warned related activity persists and requires continued monitoring. Separately, researchers described multiple **deception-based malware delivery** operations that rely on impersonation of trusted brands and software rather than exploiting product vulnerabilities. One campaign spoofed **Zoom** and **Google Meet** to install the legitimate *Teramind* monitoring agent for covert surveillance, using fake landing pages and a Microsoft Store lookalike, persistence via services (including `tsvchst` and `pmon`), and traffic masking via built-in SOCKS5 proxy support; defenders were advised to check for related drivers (e.g., `tm_filter.sys`, `tmfsdrv2.sys`) and artifacts under *ProgramData*. Another campaign used a lookalike domain (`filezilla-project[.]live`) to distribute a trojanized portable **FileZilla 3.69.5** bundle that adds a malicious DLL for DLL search-order hijacking, enabling credential theft (including saved FTP credentials) and C2 activity—highlighting a broader trend of **trusted software impersonation** and search/SEO poisoning as an initial access vector.
Mar 21, 2026
Social-Engineering Malware Campaigns Targeting End Users via Browser Stores and Fake Installers
Multiple active **social-engineering-driven malware operations** are targeting end users through trusted distribution channels. One campaign, dubbed **GhostPoster**, distributed **17 malicious browser extensions** across *Chrome, Firefox, and Edge* with **840,000+ installs**, using legitimate-sounding names (e.g., “Google Translate in Right Click,” “Youtube Download,” “Ads Block Ultimate”) and evading store reviews for years. The extensions used **steganography** to hide code in PNGs, then extracted payloads to contact attacker infrastructure, enabling credential/data theft, tracking, affiliate-link hijacking, script injection, and HTTP header manipulation to weaken protections. Separately, threat actors are impersonating **Malwarebytes** via trojanized ZIP “installers” (e.g., `malwarebytes-windows-github-io-X.X.X.zip`) and using **DLL sideloading**—pairing a legitimate EXE with a malicious `CoreMessaging.dll`—to execute **infostealers**; reporting highlighted a campaign fingerprint via **behash** `4acaac53c8340a8c236c91e68244e6cb` and distinctive DLL strings used for infrastructure mapping. A different operation identified by CloudSEK involves **“RedLineCyber”** masquerading as an affiliate of “RedLine Solutions” to build credibility inside private **Discord** communities and deliver a Python-based **clipboard hijacker** (often `Pro.exe` / `peeek.exe`) aimed at **cryptocurrency wallet theft**, relying on long-term grooming of high-value targets rather than broad phishing.
Mar 21, 2026