Fake Open-Source Tool Sites Poison Google Results to Deliver Malware

Cybersecurity researchers at Check Point have uncovered a large-scale SEO poisoning operation that impersonates popular open-source and freeware projects to distribute malware through a sophisticated Traffic Distribution System (TDS). The fraudulent sites mimic trusted security and reverse-engineering tools including Ghidra, dnSpy, and SpiderFoot, and are deliberately engineered to outrank legitimate project portals in Google search results. According to Check Point researcher Alexey Bukhteyev, the pages are visually convincing, often referencing real upstream resources, which makes them difficult to distinguish from authentic sites at first glance.

When a victim clicks the Download button, a CloudFront-hosted JavaScript staging layer initiates a handoff to the TDS, which enforces strict gating logic including first-visit state tracking, mandatory click confirmation, anti-bot and anti-analysis checks, VPN and datacenter IP filtering, and frequency capping. To reinforce the illusion of legitimacy, the button's hover text actually displays the real upstream download URL, even though the click routes elsewhere. Repeat visitors from the same IP address are instead served benign software such as the Opera browser or unwanted browser extensions, a tactic that helps the operation evade manual analysis. Anyone investigating suspicious domains encountered in this campaign can use a WHOIS lookup to verify registration details and age, since these sites tend to be recently registered despite their polished appearance.

The payloads distributed through the TDS include Remus Stealer, AnimateClipper, and the previously unknown multi-stage loader SessionGate. Evidence indicates the campaign has been active since September 2025, with an early iteration first documented by Fullstory in November 2025. At that time the infrastructure appeared to be used solely for traffic monetization and advertising, but Check Point reports that TDS scripts were embedded shortly afterward, and the network was repurposed for malware distribution beginning in January 2026. The use of SSL/TLS certificate checks can help users verify whether a download portal is genuinely associated with a known project, while a VPN/proxy detector is useful for understanding how threat actors filter connections to selectively target residential users over anonymized traffic.