- Over 100 spoofed sites mimic trusted security tools
- Campaign serves SessionGate, RemusStealer, AnimateClipper
- Primary goal appears to be traffic monetization
A large-scale malicious campaign was recently uncovered, spoofing reputable open-source security tools to harvest ad revenue and serve malware to developers and security researchers.
Security outfit Check Point Research (CPR) recently published an in-depth report, detailing the campaign. Apparently, threat actors created more than 100 websites spoofing tools such as Ghidra, dnSpy, and SpiderFoot. Visitors were routed through a Traffic Distribution System (TDS) and served multiple malware variants, including SessionGate, RemusStealer, and AnimateClipper.
“What makes this campaign especially notable is the choice of brands: a high-risk subset of sites impersonates trusted reverse-engineering tools such as Ghidra and dnSpy, used by security researchers and malware analysts,” the report reads.
Traffic acquisition and monetization
CPR describes SessionGate as a new multi-stage loader that makes it very difficult to obtain the final payload. RemusStealer is a newly emerged infostealer targeting browsers and extensions, while AnimateClipper is a cryptocurrency clipper capable of hijacking transactions across more than 20 blockchains.
Despite these websites serving multiple malware, CPR does not believe it to be the main goal. Instead, it believes the campaign’s primary objective is traffic acquisition and monetization.
“However, by embedding a gated TDS layer and funneling search traffic into it, the operators become part of a distribution chain whose downstream consumers can include malware distributors,” CPR stressed. “The same traffic pipeline that drives gray monetization can also selectively route real users to malicious payloads.”
While CPR did not say how many people were affected by this attack, it does stress that the campaign is rather large-scale. It involves more than 100 websites, as well as more than 5,000 total submissions to VirusTotal.
To defend against this campaign, and others like it, users are advised not to blindly trust search engine results, and to be careful when clicking on links, even when they’re at the very top of Google and other reputable engines.
