Fake Open-Source Download Sites Funnel Victims to TDS and Malware
A large-scale campaign has impersonated popular open-source and freeware projects, including Ghidra, dnSpy, and SpiderFoot, to capture search traffic and hijack software download clicks. Researchers found that the fake sites use CloudFront-hosted JavaScript to intercept a visitor’s first interaction and send users into a gated Traffic Distribution System (TDS) that performs anti-bot screening, VPN and datacenter filtering, click confirmation, and frequency capping before deciding what content to serve.
The infrastructure appears primarily built for traffic acquisition and monetization, but selected victims were repeatedly routed into malware delivery chains. Those chains included SessionGate, a heavily obfuscated multi-stage framework with strong anti-analysis protections that mainly delivered potentially unwanted applications, as well as RemusStealer and AnimateClipper, which were used to deploy an infostealer and a cryptocurrency clipper. Researchers said the operation has been active since at least late 2025, with active malware distribution observed from early 2026 and more than 5,000 VirusTotal submissions indicating significant scale.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Active malware delivery observed through the fake-site ecosystem
Researchers observed active malware distribution from early January 2026, with selected users routed through a gated traffic distribution system into delivery chains involving SessionGate, RemusStealer, and AnimateClipper.
Campaign begins impersonating open-source and freeware projects
Check Point Research reported that the malware distribution ecosystem had been active since at least late 2025, using fake sites that impersonated popular open-source and freeware projects to capture search traffic and hijack download clicks.
Check Point Research publishes analysis of the distribution ecosystem
On 2026-06-03, Check Point Research published its analysis describing the impersonation campaign, click hijacking via CloudFront-hosted JavaScript, and the TDS-based routing and malware monetization ecosystem behind it.
Infrastructure activity traced back to September 2025
Check Point assessed that the fake-site infrastructure was active as early as September 2025, initially operating as a traffic acquisition and monetization scheme before being repurposed for malware delivery later. This pushes the known start of the ecosystem earlier than previously captured in the timeline.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Hackers Impersonate Ghidra, dnSpy, and SpiderFoot to Spread Malware via Fake Download Sites
cybersecuritynews.com
Open sourceFake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS
thehackernews.com
Open sourceImpersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem - Check Point Research
research.checkpoint.com
Open sourceInside a global campaign hijacking open-source project identities
fullstory.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
SEO Poisoning and Fake Software Downloads Used to Deliver Credential Theft and RAT Malware
Threat actors are using **software impersonation** and **SEO poisoning** to push victims toward fake download sites for trusted enterprise and IT tools, then delivering malware through trojanized installers. In one campaign, **Storm-2561** used spoofed VPN vendor pages for products such as **Pulse Secure, Fortinet, and Ivanti** to steal enterprise VPN credentials. The malicious packages were hosted on GitHub, signed with a certificate issued to **"Taiyuan Lihua Near Information Technology Co., Ltd."**, and designed to show an error before redirecting victims to the legitimate vendor site, reducing suspicion while exfiltrating credentials. A separate but closely related campaign used fake **FileZilla** download pages to distribute a **Remote Access Trojan** through multi-stage loaders and **DLL sideloading**. Attackers bundled legitimate FileZilla software with a malicious `version.dll`, or dropped the DLL during installation so the malware would execute while the expected application appeared to install normally. Both reports describe the same broader intrusion pattern: adversaries abusing trusted brands, realistic lookalike websites, and legitimate software packaging to compromise users who believe they are downloading authentic tools. A separate **Warlock** intrusion analysis describing web shells, lateral movement, tunneling, and ransomware activity is a different incident and does not match this malware-delivery story.
Apr 26, 2026
Impersonated Software Downloads Used to Deliver Malware via Lookalike Repos and Domains
Threat actors are abusing **software-brand impersonation** to trick users into installing malware from fake distribution points, relying on social engineering rather than software exploits. Datadog reported an active campaign using **fake GitHub repositories** that impersonate established technology companies and leverage the **ClickFix** technique—prompting victims to copy/paste commands into *Terminal* (macOS) or *PowerShell/Run* (Windows)—to install infostealers. Datadog observed iterative updates to the *MacSync* lure and a new macOS infostealer variant self-branded as **“SHub Stealer v2.0”**, with expanded capabilities including **persistence** and **remote access**, alongside anti-analysis/evasion features intended to hinder detection and track infection outcomes; Datadog also assessed signs the actor is expanding toward **Windows infostealer** functionality. Separately, Malwarebytes documented a lookalike **7-Zip** download site (`7zip[.]com`, impersonating the legitimate `7-zip.org`) distributing a **trojanized installer** that installs a working 7-Zip File Manager while silently converting infected Windows systems into **residential proxy nodes**. The installer was **Authenticode-signed** with a certificate issued to **Jozeal Network Technology Co., Limited** (now revoked), and it dropped additional components—`Uphero.exe` (service manager/update loader), `hero.exe` (Go-compiled proxy payload), and `hero.dll`—under `C:\Windows\SysWOW64\hero\`; one reported case surfaced via Microsoft Defender detection `Trojan:Win32/Malgent!MSR` after the system had been exposed for an extended period. Together, the reporting highlights a sustained risk from **trusted-brand impersonation** and “looks legitimate” installers/repositories that deliver credential theft or monetize endpoints via proxyware.
Mar 21, 2026
Fake ChatGPT Site and Piracy Portals Deliver Cross-Platform Stealers and Cryptominers
Threat researchers reported two large malware distribution operations that relied on popular consumer lures rather than software exploits. One campaign used piracy sites offering movies, TV shows, books, and digital library content to push fake plugin or browser update prompts; the downloaded ZIP files abused DLL side-loading, ROP-based decryption, and reflective loading to install a modified `SilentCryptoMiner`, a watchdog, a RAT component, and CPU/GPU miners. The malware gated execution through DNS tunneling and date-generated command-and-control infrastructure, harvested host data, and established persistence with a fake `GoogleUpdateTaskMachineQC` service and repeated UAC elevation attempts, with implicated sites drawing roughly 40 million visits in a single month. A separate operation used `openew[.]app`, a fake ChatGPT download page impersonating OpenAI, to infect both Windows and macOS users with platform-specific malware. Windows visitors received a credential-stealing loader disguised as `Chat_GPT.exe`, built with Inno Setup and Electron and launching PowerShell activity that contacted `188.137.246.189`, while macOS users were served **Atomic Stealer (AMOS)** to steal passwords, browser data, Telegram sessions, and cryptocurrency wallet information. Researchers said the macOS payload also attempted to replace legitimate Ledger and Trezor applications with trojanized versions, underscoring a strong cryptocurrency theft motive and showing how attackers are exploiting AI-brand search traffic and piracy demand to scale malware infections.
May 28, 2026