Huge hacking campaign uses fake Ghidra, dnSpy and SpiderFoot security tools to harvest ad revenue and serve malware

Over 100 fake websites impersonate reliable security tools
The campaign serves SessionGate, RemusStealer, AnimateClipper
The primary goal seems to be traffic monetization

A large-scale malicious campaign was recently uncovered that spoofed reputable open source security tools to harvest ad revenue and deliver malware to developers and security researchers.

Security outfit Check Point Research (CPR) recently published an in-depth report detailing the campaign. Apparently, threat actors created more than 100 websites that spoofing tools such as Ghidra, dnSpy and SpiderFoot. Visitors were routed through a Traffic Distribution System (TDS) and served several malware variants, including SessionGate, RemusStealer and AnimateClipper.

“What makes this campaign particularly notable is the choice of brands: a high-risk subset of sites impersonate trusted reverse-engineering tools such as Ghidra and dnSpy used by security researchers and malware analysts,” the report reads.

Traffic acquisition and revenue generation

CPR describes SessionGate as a new multi-stage loader that makes it very difficult to achieve the final payload. RemusStealer is a newly emerged infostealer targeting browsers and extensions, while AnimateClipper is a cryptocurrency clipper capable of hijacking transactions across more than 20 blockchains.

Despite these sites serving more malware, CPR does not believe it is the main target. Instead, it believes the primary goal of the campaign is traffic acquisition and revenue generation.

“However, by embedding a gated TDS layer and channeling search traffic into it, the operators become part of a distribution chain whose downstream consumers may include malware distributors,” CPR stressed. “The same traffic pipeline that drives gray monetization can also selectively direct real users to malicious payloads.”

While the CPR did not say how many people were affected by this attack, it emphasizes that the campaign is quite large-scale. It involves more than 100 websites, as well as more than 5,000 total submissions to VirusTotal.

To defend against this campaign and others like it, users are advised not to blindly trust search engine results and be careful when clicking on links, even when they are at the very top of Google and other reputable engines.