top of page
perceptive_background_267k.jpg

Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS

Published:

4 juni 2026 om 09:51:28

Alert date:

4 juni 2026 om 10:00:56

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Supply Chain & Dependencies, Web Technologies

Cybersecurity researchers have identified a large-scale operation that creates fake websites impersonating legitimate open-source and freeware projects. These well-designed sites rank high on Google search results and funnel unsuspecting users through a Traffic Distribution System (TDS) to deliver malware. The campaign distributes multiple malware families including Remus Stealer, AnimateClipper, and the SessionGate framework. The fake sites are designed to look legitimate at first glance, sometimes referencing actual project details to increase credibility.

Technical details

Cybersecurity researchers identified a large-scale operation impersonating open-source and freeware projects to deliver malware through a Traffic Distribution System (TDS). The sites load CloudFront-hosted JavaScript staging layer that converts download button clicks into handoffs to TDS with strict gating including first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping. The TDS redirect chains deliver malware on first access but benign software on repeated attempts from same IP. The operation includes multi-stage delivery with extensive validation logic and TDS-side gating designed to resist analysis. SessionGate acts as a multi-stage obfuscated loader with anti-analysis mechanisms. The final DLL payload communicates with external servers, retrieves encrypted configuration, extracts download URLs, and executes next-stage malware via cmd.exe.

Mitigation steps:

Users should verify download sources by visiting official project repositories directly rather than clicking on search engine results. Organizations should implement web filtering to block known malicious domains and educate users about verifying software download sources. Monitor for SessionGate, Remus Stealer, and AnimateClipper indicators. Be cautious of sites that show legitimate URLs on hover but redirect through multiple stages when clicked.

Affected products:

Ghidra
dnSpy
SpiderFoot
Opera browser
Browser extensions
Cryptocurrency wallets
Two-factor authentication tools
Password managers
20+ browsers
20+ blockchain ecosystems

Related links:

https://research.checkpoint.com/2026/impersonation-click-hijacking-and-tds-inside-a-malware-distribution-ecosystem/
https://www.fullstory.com/blog/inside-a-global-campaign-hijacking-open-source-project-identities/
https://thehackernews.com/2026/04/threatsday-bulletin-hybrid-p2p-botnet.html#lumma-successor-adopts-evasive-tactics

Related CVE's:

Related threat actors:

IOC's:

SessionGate malware family, Remus Stealer, AnimateClipper cryptocurrency clipper, CloudFront-hosted JavaScript staging layer, TDS redirect chains, Fake open-source project domains ranking high on Google

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page