A massive hacking campaign uses counterfeit security tools like Ghidra, dnSpy, and SpiderFoot to earn advertising revenue and distribute malware.

More than 100 fake sites imitate trusted security tools
The campaign serves SessionGate, RemusStealer, AnimateClipper
The main goal seems to be traffic monetization.

A large-scale malicious campaign was recently discovered that spoofs reputable open source security tools to gain advertising revenue and deliver malware to developers and security researchers.

Security outfit Check Point Research (CPR) recently published a detailed report detailing the campaign. Apparently, threat actors created more than 100 website spoofing tools, such as Ghidra, dnSpy, and SpiderFoot. Visitors were routed through a traffic distribution system (TDS) and presented multiple malware variants, including SessionGate, RemusStealer, and AnimateClipper.

“What makes this campaign especially notable is the choice of branding: a subset of high-risk sites pose as trusted reverse engineering tools like Ghidra and dnSpy, used by security researchers and malware analysts,” the report reads.

Traffic acquisition and monetization.

CPR describes SessionGate as a new multi-stage loader that makes it very difficult to get the final payload. RemusStealer is a newly emerging information stealer targeting browsers and extensions, while AnimateClipper is a cryptocurrency clipper capable of hijacking transactions on more than 20 blockchains.

Even though these websites offer multiple malicious programs, CPR does not believe that it is the main target. Instead, he believes the primary goal of the campaign is traffic acquisition and monetization.

“However, by incorporating a closed TDS layer and funneling search traffic to it, operators become part of a distribution chain whose end consumers may include malware distributors,” CPR emphasized. “The same traffic channel that drives gray monetization can also selectively direct real users toward malicious payloads.”

While CPR did not say how many people were affected by this attack, it does highlight that the campaign is large scale. This involves over 100 websites as well as over 5,000 total submissions to VirusTotal.

To defend against this and similar campaigns, users are advised not to blindly trust search engine results and to be careful when clicking on links, even when they are ranked high on Google and other reputable engines.