Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS

Summary

Cybersecurity researchers discovered a large-scale operation impersonating legitimate open-source projects (Ghidra, dnSpy, SpiderFoot) to distribute malware through a Traffic Distribution System. The fake sites rank highly in Google search results and use CloudFront-hosted JavaScript to redirect users to malware delivery infrastructure, deploying families like Remus Stealer, AnimateClipper, and SessionGate. The campaign, ongoing since September 2025 for traffic monetization, shifted to active malware distribution in January 2026 with anti-analysis and anti-bot gating mechanisms.

Full text

Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS Swati KhandelwalJun 04, 2026Malware / Open Source Cybersecurity researchers have flagged a large-scale operation that impersonates open-source and freeware projects to funnel unsuspecting users through a Traffic Distribution System (TDS) and deliver malware families like Remus Stealer, AnimateClipper, and the SessionGate framework. "The sites are well-designed and often look like legitimate project portals at a glance, sometimes referencing real upstream resources," Check Point security researcher Alexey Bukhteyev said in a breakdown of the campaign. "The deception is not in the page content alone, it's in what happens when a user interacts." "These pages load a CloudFront-hosted JavaScript staging layer that converts a click on a 'download' button/link into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping." It's suspected that the operation is designed for traffic acquisition and monetization, while leading select users to malware delivery infrastructure. Some of the identified sites mimic trusted reverse-engineering and security tooling such as Ghidra, dnSpy, and SpiderFoot. Attack chains specifically target users looking for such tools on search engines like Google, causing the bogus sites to be surfaced on top of the search results. An early iteration of the campaign was documented by Fullstory in November 2025. Evidence indicates that the activity has been ongoing since September 2025. "These domains are focused on gaining favorable search engine rankings by leveraging the name, brand, and popularity of the original web sites and projects," the Atlanta-based company noted at the time. "Many sites are in the top rankings on Google for the relevant search term, often eclipsing the real project's web site. This makes their visibility an asset and can maximize links and content." Although there was no indication that any of these domains were put to use for malicious activity, other than to generate content to drive traffic and enable third-parties to advertise their own sites, the latest findings from Check Point show that the TDS scripts were embedded not long after, and the infrastructure was repurposed for malware distribution starting January 2026. Clicking the "Download" button initiates a TDS redirection chain that results in the deployment of malware. One of the most striking aspects is that hovering over the button reveals the legitimate URL from where the tool can be downloaded, thereby lending the site a veneer of legitimacy. The redirect chains are also engineered such that repeated attempts to enter it from the same IP address result in the download of benign software, like the Opera browser or unnecessary browser extensions. Some of the payloads distributed via this TDS are listed below - SessionGate, a previously unknown multi-stage, obfuscated loader that's used to deliver potentially unwanted applications (PUA) while incorporating extensive anti-analysis mechanisms to throw off sandboxes by pivoting to a benign installer experience. Remus Stealer, a new information stealer offered under a malware-as-a-service (MaaS) model, can steal data from more than 20 browsers, including hundreds of browser extensions and applications, such as cryptocurrency wallets, two-factor authentication tools, and password managers. Remus is believed to be a variant of the Lumma Stealer. AnimateClipper, a cryptocurrency clipper that can substitute wallet addresses copied to the clipboard and hijack transactions across more than 20 blockchain ecosystems. It's delivered by means of a ClickFix lure. An analysis of VirusTotal telemetry has revealed approximately 2,000 to 3,500 submissions of samples associated with the SessionGate family to date. The vast majority of the submissions have originated from Turkey, Poland, Brazil, Germany, France, Russia, and the U.K. The end goal of the SessionGate infection sequence is to drop a payload that's unique per client and delivered only after traversing the redirect path end-to-end. The multi-stage delivery chain, combined with an extensive validation logic and TDS-side gating, is designed to resist analysis and make payload retrieval a challenging task for analysts. The final DLL payload is responsible for communicating with an external server, retrieving an encrypted configuration from the server, extracting the download URL from the configuration, and downloading and silently executing the next-stage malware via "cmd.exe." "The entry sites mimic legitimate open-source project portals, preserve real GitHub links to pass quick visual checks, and then use click interception to route the first download click into a gated TDS stack," Bukhteyev said. "The more plausible primary objective is traffic acquisition and monetization. However, by embedding a gated TDS layer and funneling search traffic into it, the operators become part of a distribution chain whose downstream consumers can include malware distributors. The same traffic pipeline that drives gray monetization can also selectively route real users to malicious payloads." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cryptocurrency, cybersecurity, Malware, Open Source, search engine optimization, Traffic Distribution System ⚡ Top Stories This Week Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More Malicious npm Package Stole Files From Claude AI User Directory via GitHub GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions ⭐ Featured Resources Your Employees Are Using AI in Ways You Can’t See – 2026 State of AI Report Learn How to Stop Attacks Before They Reach Your EDR – With PHASR Watch AI Turn Vulnerabilities Into Working Exploits in Minutes (See the Demo) [Guide] The Real Security Risks of Shadow AI (And Where You’re Exposed)

Indicators of Compromise

• malware — Remus Stealer
• malware — AnimateClipper
• malware — SessionGate
• malware — Lumma Stealer

Entities