A massive hacking campaign uses fake security tools Ghidra, dnSpy and SpiderFoot to harvest advertising revenue and distribute malware.

100+ Spoofed Sites Mimic Trusted Security Tools
The campaign serves SessionGate, RemusStealer, AnimateClipper
The main goal seems to be traffic monetization

A large-scale malicious campaign was recently discovered that spoofed well-known open source security tools to harvest advertising revenue and deliver malware to developers and security researchers.

Security agency Check Point Research (CPR) recently released a detailed report detailing the campaign. Apparently, bad actors have created over 100 tools to impersonate websites such as Ghidra, dnSpy, and SpiderFoot. Visitors were routed through a traffic distribution system (TDS) and served several malware variants, including SessionGate, RemusStealer, and AnimateClipper.

“What makes this campaign particularly noteworthy is the branding: a subset of high-risk sites impersonate trusted reverse-engineering tools such as Ghidra and dnSpy, used by security researchers and malware analysts,” the report said.

Traffic acquisition and monetization

CPR describes SessionGate as a new multi-stage loader that makes it very difficult to get to the final payload. RemusStealer is a new information stealer targeting browsers and extensions, while AnimateClipper is a cryptocurrency clipping tool capable of hijacking transactions on over 20 blockchains.

Although these websites distribute several pieces of malware, CPR does not believe this is the primary goal. Instead, he believes the main goal of the campaign is traffic acquisition and monetization.

“However, by integrating a secure TDS layer and channeling search traffic through it, operators become part of a distribution chain whose downstream consumers may include malware distributors,” CPR noted. “The same traffic pipeline that leads to gray monetization can also selectively route real users to malicious payloads. »

Although the CPR did not specify how many people were affected by this attack, it nevertheless emphasizes that it is a large-scale campaign. It involves over 100 websites, as well as over 5,000 total submissions to VirusTotal.

To defend against this campaign and others like it, users are advised not to blindly trust search engine results and to be careful when clicking on links, even when they are at the very top of Google and other reputable engines.