Fake open-source sites top Google, funnel users to malware

Fraudulent websites posing as popular open-source and freeware projects are appearing at the top of Google search results and routing visitors through a Traffic Distribution System, researchers at Check Point report. Activity traces back to September 2025 and the infrastructure was repurposed to distribute malware beginning in January 2026. An earlier iteration was observed in November 2025.

Pages imitate legitimate project portals for tools such as Ghidra, dnSpy and SpiderFoot, often preserving visible GitHub links and legitimate download URLs to appear authentic. A CloudFront-hosted JavaScript staging layer converts a click on a download button into a handoff to a gated TDS. The TDS enforces first-visit state, requires explicit click confirmation, runs anti-bot and anti-analysis checks, blocks VPN and data-center IPs, and caps request frequency.

The redirect chains are engineered so repeat attempts from the same IP sometimes return benign software such as a browser or extensions, while first-time visitors may be routed to malicious payloads. Three malware families linked to the pipeline are Remus Stealer, AnimateClipper and SessionGate. Remus Stealer, offered under a malware-as-a-service model and believed related to Lumma Stealer, can extract data from more than 20 browsers and hundreds of extensions and applications, including cryptocurrency wallets and two-factor authentication tools. AnimateClipper is a clipboard hijacker that replaces copied wallet addresses across more than 20 blockchain ecosystems and is delivered via a ClickFix lure. SessionGate is a new multi-stage, highly obfuscated loader that can present a benign installer experience in analysis environments and then drop a DLL that retrieves an encrypted configuration, extracts a download URL and launches the next-stage payload via cmd.exe.

VirusTotal telemetry shows about 2,000 to 3,500 submissions tied to SessionGate so far, with most samples submitted from Turkey, Poland, Brazil, Germany, France, Russia and the United Kingdom. Check Point reports the final payload is often customized per victim and provided only after the redirect and gating logic completes, which complicates automated sandboxing and static analysis.

Check Point researcher Alexey Bukhteyev warned that ‘The deception is not in the page content alone, it’s in what happens when a user interacts.’ He noted that search-engine optimization that places spoof pages above genuine project sites can be used to acquire traffic and ad revenue, and that the same distribution pipeline can selectively route some users to malicious infrastructure.