Fake Portals Mimic Trusted Tools
Threat actors have deployed a sophisticated campaign using fake websites that closely mirror the official pages of popular security analysis tools. The malicious sites impersonate Ghidra, dnSpy, and SpiderFoot, complete with professional layouts and direct links to legitimate GitHub repositories to evade suspicion. When a user clicks a download button, the site does not serve the intended software but instead routes the request through a hidden gatekeeping system.
Traffic Filtering and Payload Delivery
This campaign relies on a Traffic Distribution System (TDS) that screens each visitor before deciding whether to deliver malware. The TDS checks the user’s geographic location, browser type, VPN usage, and flags potential security researcher activity. If the visitor passes these filters, the system redirects them to a malicious payload. Check Point Research identified that the fake sites load a JavaScript script hosted on Amazon CloudFront, which intercepts the first download click and silently transfers control to the TDS without any visible warning.
Malware Families and Scale
The campaign has been active since at least December 2025, with confirmed malware deliveries starting in early January 2026. VirusTotal data shows over 5,000 submissions linked to related samples, and researchers believe the true number of infections is significantly higher. The final payloads include three distinct malware families. RemusStealer is a new infostealer that targets data from more than 20 browsers, including cryptocurrency wallets, password managers, and two-factor authentication tools. AnimateClipper monitors the system clipboard and replaces copied cryptocurrency wallet addresses with attacker-controlled ones, potentially stealing funds without the victim’s knowledge. A third payload, SessionGate, acts as a heavily obfuscated multi-stage loader that uses one-time key delivery to hinder analysis. The focus on tools trusted by security professionals makes this campaign especially concerning, as it targets those most likely to recognize such threats.
Source: Cyber Security News
