A large-scale malicious operation is actively impersonating legitimate open-source and freeware projects, deceiving users into downloading advanced malware. The campaign's modus operandi involves creating highly convincing fake portals that mimic popular tools, then using a **Traffic Distribution System (TDS)** to filter and deliver various malicious payloads. ### The Deceptive Lure of Fake Portals Security researchers at **Check Point** have shed light on this elaborate scheme. **Alexey Bukhteyev**, a **Check Point** security researcher, noted that "The sites are well-designed and often look like legitimate project portals at a glance, sometimes referencing real upstream resources." This level of detail makes it challenging for users to distinguish between genuine and fraudulent sites. The deception extends beyond visual appeal. When a user attempts to download software from these sites, a **CloudFront**-hosted JavaScript staging layer intercepts the click. This layer then hands off the request to a **TDS** that applies stringent gating logic, including first-visit checks, mandatory click confirmations, anti-bot/anti-analysis measures, VPN/datacenter filtering, and frequency capping. Some of the identified fraudulent sites mimic well-known reverse-engineering and security tools such as **Ghidra**, **dnSpy**, and **SpiderFoot**. These sites are strategically optimized for search engines like **Google**, often appearing at the top of search results and eclipsing the legitimate project pages. ### Evolution of a Threat An earlier iteration of this campaign was documented by **Fullstory** in November 2023, with evidence suggesting activity since September 2023. At that time, the Atlanta-based company observed that the domains focused on gaining favorable search engine rankings to drive traffic and enable third-party advertising. While initially not directly distributing malware, **Check Point**'s latest findings indicate a significant escalation. Starting January 2024, the **TDS** scripts were embedded, and the infrastructure was repurposed for direct malware distribution.  Crucially, the 'Download' button on these fake sites is engineered to display the legitimate download URL on hover, providing a veneer of authenticity. However, clicking the button initiates the malicious **TDS** redirection chain. To further evade analysis, repeated attempts to download from the same IP address may result in benign software, such as the **Opera** browser or harmless browser extensions, being delivered instead of malware. ### The Malware Arsenal The **TDS** is designed to deliver a range of potent malware families: * **SessionGate**: A previously unknown, multi-stage, obfuscated loader. It's used to deliver potentially unwanted applications (PUA) and incorporates extensive anti-analysis mechanisms, including pivoting to a benign installer experience when a sandbox is detected. * **Remus Stealer**: A new information stealer operating under a malware-as-a-service (MaaS) model. It's capable of exfiltrating data from over 20 browsers, hundreds of browser extensions, and applications, including cryptocurrency wallets, two-factor authentication tools, and password managers. **Remus Stealer** is believed to be a variant of the notorious **Lumma Stealer**. * **AnimateClipper**: A cryptocurrency clipper that can substitute wallet addresses copied to the clipboard, hijacking transactions across more than 20 blockchain ecosystems. It's often delivered via a **ClickFix** lure.  ### Global Reach and Evasion Tactics Telemetry from **VirusTotal** reveals approximately 2,000 to 3,500 submissions of samples linked to the **SessionGate** family. The majority of these submissions originate from Turkey, Poland, Brazil, Germany, France, Russia, and the U.K., indicating a broad geographical impact. The **SessionGate** infection sequence is particularly sophisticated. It delivers a unique payload per client, only after a full traversal of the redirect path. This multi-stage delivery chain, coupled with extensive validation logic and **TDS**-side gating, is designed to actively resist analysis and make payload retrieval exceptionally challenging for security researchers. The final DLL payload communicates with an external server to retrieve an encrypted configuration, extracts a download URL, and silently executes the next-stage malware using `cmd.exe`.  Bukhteyev emphasizes that while the primary objective might be traffic acquisition and monetization, "by embedding a gated **TDS** layer and funneling search traffic into it, the operators become part of a distribution chain whose downstream consumers can include malware distributors. The same traffic pipeline that drives gray monetization can also selectively route real users to malicious payloads." ### Advice for Professionals and Users Given the sophistication of this campaign, IT security professionals should reinforce user education on verifying software download sources. Always navigate directly to official project websites or trusted repositories rather than relying solely on search engine results. Implement robust endpoint detection and response (EDR) solutions and ensure that security software is up-to-date to detect and block these advanced malware threats.