Cybersecurity researchers have exposed a campaign that impersonates open-source and freeware projects to steer visitors through a traffic distribution system and, in some cases, deliver malware such as Remus Stealer, AnimateClipper and SessionGate. The operation has been active since at least September 2025, with malware delivery tied to the infrastructure from January 2026.
KEY FACTS
- Targets fake sites mimic tools including Ghidra, dnSpy and SpiderFoot.
- Mechanics a click on a download button is redirected through a gated traffic system with anti-bot checks.
- Payloads the chain can lead to a stealer, a clipper and a multi-stage loader.
- Search traffic the pages are designed to rank highly for relevant software searches.
A technical analysis from Check Point said the pages look legitimate at first glance and often preserve real GitHub links to pass quick visual checks. The report said the deception happens when a user interacts with the site, not just from the page content itself.
According to the disclosure, the sites load a CloudFront-hosted JavaScript layer that turns a download click into a handoff to a traffic distribution system. That system uses first-visit checks, mandatory click confirmation, anti-analysis logic, VPN and datacenter filtering, and frequency caps.
Some redirects lead to benign software such as Opera or browser extensions on repeated visits from the same IP address. Other paths deliver SessionGate, which is described as a previously unknown loader that hides its activity and can pivot to a harmless installer to avoid sandboxes.
The report says Remus Stealer can collect data from more than 20 browsers, including browser extensions, cryptocurrency wallets, two-factor authentication tools and password managers. AnimateClipper is used to replace copied wallet addresses and hijack transactions across more than 20 blockchain ecosystems.
Telemetry from VirusTotal showed about 2,000 to 3,500 submissions linked to SessionGate, with most samples originating in Turkey, Poland, Brazil, Germany, France, Russia and the U.K. The final payload is delivered only after the redirect chain is completed end to end.
WHY IT MATTERS
The campaign shows how search visibility and copied project branding can be used to funnel users into a controlled distribution chain. That creates a risk that people looking for common developer or security tools may instead receive unwanted software or malware.