Malware Distribution Ecosystem Impersonates Open-Source Projects via Traffic Distribution System
Check Point Research has uncovered a sophisticated operation impersonating popular open-source and security tools, using a Traffic Distribution System (TDS) to filter users and deliver malware.
Check Point Research has detailed a large-scale malicious operation that leverages impersonation of open-source and freeware projects to capture search engine traffic. The campaign creates convincing fake websites that mimic legitimate project portals, even referencing real upstream resources. These sites are designed to trick users into downloading malicious software, with a particular focus on tools used by security researchers, such as Ghidra and dnSpy.
The core of the deception lies not just in the appearance of the websites, but in their post-click behavior. When a user attempts to download a file, the site initiates a complex routing chain. This chain begins with a JavaScript staging layer hosted on Amazon CloudFront, which then hands off the user's interaction to a Traffic Distribution System (TDS). This TDS acts as a sophisticated gatekeeper, employing various filtering mechanisms to determine whether to proceed with the user's request or redirect them elsewhere.
The TDS employs several layers of filtering, including checking the user's visit state, requiring explicit click confirmation, implementing anti-bot and anti-analysis logic, filtering based on VPN or datacenter IP addresses, and enforcing frequency caps. This meticulous filtering ensures that only specific, targeted users are funneled towards the final payload delivery infrastructure, while others are either blocked or redirected to less harmful content.
This ecosystem appears to be primarily focused on traffic acquisition and monetization, likely utilizing legitimate ad-tech and monetization tools. However, the downstream redirect chains have been observed leading selected users to malware delivery infrastructure. The operation has been found to distribute multiple malware families, including RemusStealer, AnimateClipper, and the SessionGate framework, alongside Potentially Unwanted Applications (PUAs).
RemusStealer is a newly identified information-stealer designed to target data from over 20 browsers and hundreds of applications, including cryptocurrency wallets and password managers. AnimateClipper is a cryptocurrency clipper capable of hijacking transactions across more than 20 blockchain ecosystems. SessionGate is a heavily obfuscated, multi-stage loader with advanced anti-analysis features, observed delivering PUAs in the analyzed chains.
The impersonation of popular open-source projects, especially security tools, is a notable aspect of this campaign. While the broader phenomenon of such impersonation sites was documented previously, this operation has evolved to actively embed TDS scripts and engage in malware distribution since late 2025 and early 2026. The scale is significant, with VirusTotal telemetry showing over 5,000 submissions for relevant samples, indicating a substantial reach.
While the primary objective of these impersonation sites may be traffic acquisition and monetization, the integration of a gated TDS layer transforms them into a critical component of a malware distribution chain. Operators of these sites can selectively route users to malicious payloads, blurring the lines between gray monetization tactics and direct malware distribution. The professional design and high search engine ranking of these fake sites make them particularly effective at luring unsuspecting users.