Cybersecurity researchers have uncovered a large-scale operation that impersonates open-source and freeware projects to distribute malware through a sophisticated Traffic Distribution System (TDS). According to Check Point security researcher Alexey Bukhteyev, these deceptive sites are well-designed and often resemble legitimate project portals, sometimes even referencing real upstream resources.
The malicious sites employ a CloudFront-hosted JavaScript staging layer that converts user interactions, such as clicking a ‘download’ button, into a handoff to a TDS. This system enforces strict gating mechanisms, including first-visit state checks, mandatory click confirmations, anti-bot and anti-analysis logic, VPN and datacenter filtering, and frequency capping.
Some of the identified sites mimic trusted reverse-engineering and security tools like Ghidra, dnSpy, and SpiderFoot. Users searching for these tools on search engines like Google may encounter these fraudulent sites, which often rank high in search results. An early iteration of this campaign was documented by Fullstory in November 2025, indicating that the activity has been ongoing since at least September 2025.
Initially, these domains focused on gaining favorable search engine rankings by leveraging the names and popularity of legitimate projects. However, Check Point’s findings reveal that the TDS scripts were embedded shortly after, and the infrastructure was repurposed for malware distribution starting in January 2026.
Clicking the ‘Download’ button on these sites initiates a TDS redirection chain that results in the deployment of malware. Notably, hovering over the button reveals the legitimate URL from which the tool can be downloaded, lending the site an appearance of legitimacy. The redirect chains are also engineered so that repeated attempts from the same IP address result in the download of benign software, like the Opera browser or unnecessary browser extensions.
Some of the payloads distributed via this TDS include:
- SessionGate: A previously unknown multi-stage, obfuscated loader used to deliver potentially unwanted applications (PUA) while incorporating extensive anti-analysis mechanisms to evade detection.
- Remus Stealer: A new information stealer offered under a malware-as-a-service (MaaS) model, capable of stealing data from over 20 browsers, including hundreds of browser extensions and applications such as cryptocurrency wallets, two-factor authentication tools, and password managers. Remus is believed to be a variant of the Lumma Stealer.
- AnimateClipper: A cryptocurrency clipper that substitutes wallet addresses copied to the clipboard, facilitating unauthorized transactions.
This campaign underscores the evolving tactics of cybercriminals who exploit the trust associated with open-source tools to distribute malware. Users are advised to exercise caution when downloading software and to verify the authenticity of the source to mitigate the risk of infection.
Source: The Hacker News
