How Hackers Are Using Fake Open-Source Tool Sites to Hijack Clicks and Distribute Malware

Gated Traffic Distribution System: Filtering for High-Value Targets

The TDS acts as a sophisticated gatekeeper, not simply a redirect. Check Point's analysis reveals it applies multi-layer anti-analysis and filtering to separate real victims from security researchers, sandboxes, and automated crawlers. Only users who pass these checks are routed to the final malware payloads . This selective delivery makes the campaign harder to map and increases the value of each successful infection to the operators. To further evade detection, the system uses techniques like per-session keys and one-time key releases .

The Malware Trio: RemusStealer, AnimateClipper, and SessionGate

The campaign has been observed delivering three distinct malware families, each serving a different monetization purpose.

• RemusStealer: This is a subscription-based infostealer Malware-as-a-Service (MaaS) tool, marketed at $250–$500. It targets a vast range of sensitive data, including credentials from over 20 browsers, data from more than 220 cryptocurrency wallet extensions, password managers, and 2FA tools .
• AnimateClipper: A cryptocurrency clipper designed to hijack transactions in real-time by swapping the wallet address a user copies with one controlled by the attacker. It is capable of monitoring and intercepting transactions across over 20 different blockchain ecosystems .
• SessionGate: This previously undocumented framework is a multi-stage loader that uses heavy obfuscation and extensive anti-analysis to deliver potentially unwanted applications (PUAs) or other payloads. It acts as the initial foothold and loader in the observed attack chains .

A Global, Long-Running Operation

The scale of the campaign is significant. Check Point reports that the ecosystem has been active since late 2025 and has generated over 5,000 VirusTotal submissions, indicating a broad victim pool. The primary geographic targets span the globe, with heavy activity concentrated in Turkey, Poland, Brazil, Germany, France, Russia, and the United Kingdom .

For developers and security professionals, the takeaway is clear and urgent. The days of casually downloading a tool based on a search result are over. Users must verify they are on an official project repository, directly visit a known GitHub or GitLab page, and be suspicious of any download that does not immediately deliver the expected file. The professionalism of these fake sites makes visual inspection alone an insufficient defense against an ecosystem built on stolen trust and automated deception.