Cybersecurity researchers have identified a large scale malicious campaign that uses fake websites impersonating open source and freeware software projects to distribute malware through a Traffic Distribution System. The operation is designed to attract users searching for legitimate tools on search engines, especially Google, and redirect them through controlled infrastructure that ultimately delivers malicious payloads. The campaign has been linked to multiple malware families including Remus Stealer, AnimateClipper, and a multi stage framework known as SessionGate, which is being used as part of an evolving malware delivery ecosystem.
According to analysis shared by Check Point researcher Alexey Bukhteyev, the deceptive websites are carefully constructed to resemble authentic project portals, often referencing real upstream resources such as legitimate GitHub repositories or well known open source projects. This design approach allows the pages to pass initial visual inspection by users, creating a sense of legitimacy before any interaction takes place. The core deception does not rely only on static page content, but instead on dynamic behavior triggered after user interaction, particularly when clicking download buttons that appear to initiate legitimate software downloads.
Once a user interacts with these pages, a CloudFront hosted JavaScript staging layer activates and converts the download request into a handoff to a Traffic Distribution System. This TDS layer applies strict filtering rules including first visit validation, mandatory click confirmation, anti bot and anti analysis checks, VPN and datacenter detection, and frequency based access controls. These mechanisms are designed to differentiate between regular users and automated analysis systems while ensuring that only selected traffic proceeds further down the infection chain. Researchers noted that the same infrastructure may also serve traffic monetization purposes, but has increasingly been repurposed to deliver malware payloads to targeted users.
The campaign specifically targets individuals searching for reverse engineering and security related tools such as Ghidra, dnSpy, and SpiderFoot, using search engine optimization techniques to place fraudulent domains at the top of search results. Earlier observations from Fullstory in November 2025 indicated that such domains were already achieving high search rankings by leveraging the branding and popularity of legitimate software projects. Over time, this infrastructure evolved, and by January 2026, TDS scripts were embedded into these sites, transforming them from traffic generation pages into active malware distribution nodes. Clicking the download button initiates a redirect chain that ultimately leads to malicious payload delivery, while hover behavior on buttons may still display legitimate URLs to maintain user trust.
Further analysis reveals that the distribution system uses adaptive logic based on user behavior and IP reputation. Repeated visits from the same IP address may result in the delivery of benign software such as the Opera browser or unnecessary browser extensions, while other users are routed toward malware payloads. Among the identified threats, SessionGate functions as a multi stage loader with anti analysis capabilities designed to evade sandbox detection and deliver potentially unwanted applications. Remus Stealer operates under a malware as a service model and is capable of extracting data from more than 20 browsers, including extensions, cryptocurrency wallets, two factor authentication tools, and password managers, and is believed to be related to Lumma Stealer variants. AnimateClipper focuses on cryptocurrency theft by replacing clipboard wallet addresses and manipulating transactions across multiple blockchain ecosystems, and is delivered through ClickFix based lures.
Telemetry data from VirusTotal shows between 2,000 and 3,500 submissions linked to SessionGate samples, with activity observed across regions including Turkey, Poland, Brazil, Germany, France, Russia, and the United Kingdom. The final stage of the infection chain involves encrypted configuration retrieval from external servers, extraction of payload URLs, and silent execution of malware through system processes such as cmd.exe. Researchers noted that the combination of search engine manipulation, TDS based gating, and multi stage payload delivery creates a resilient distribution pipeline that is difficult to analyze and is capable of selectively delivering malicious content only after full traversal of the redirect chain.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
