Cybercriminals have developed sophisticated fake websites mimicking well-known security tools to distribute malware. These sites, nearly indistinguishable from legitimate portals, aim to deceive users into downloading harmful software.
Deceptive Website Tactics
Instead of resembling typical phishing pages, these counterfeit sites are designed to mirror official project pages with professional layouts and legitimate links to GitHub repositories. However, once users attempt to download software, they are unwittingly redirected through a Traffic Distribution System (TDS), which filters traffic to deliver either malware or a benign file.
This TDS screens users based on factors such as location, browser type, and VPN usage, making it challenging for security experts to detect these malicious activities. The campaign specifically targets tools trusted by security professionals, increasing its potential impact.
Investigation and Findings
Check Point Research has conducted an in-depth analysis of this large-scale operation. They discovered that the fake websites load JavaScript from Amazon’s CloudFront network. This script intercepts download attempts and redirects users through the TDS without any visible signs of redirection.
Since December 2025, this scheme has been active, with malware distribution confirmed from early 2026. VirusTotal data indicates over 5,000 related submissions, suggesting a much larger scope than initially evident. The impersonated tools are commonly used by security experts, making this campaign particularly concerning.
Malware Payloads and Evasion Techniques
The operation utilizes three main malware families as payloads. RemusStealer targets data from browsers, including cryptocurrency wallets and password managers. AnimateClipper replaces copied wallet addresses, potentially redirecting funds unknowingly. Lastly, SessionGate, a multi-stage loader, employs heavy obfuscation and one-time-key delivery, complicating analysis efforts.
SessionGate, in particular, is designed to resist scrutiny, with code obfuscation techniques that challenge even advanced disassembly tools. It generates decryption keys server-side, rendering payloads unreadable if analyzed from different IP addresses.
Protective Measures and Recommendations
Over 100 fake websites associated with this campaign have been identified, using CloudFront-hosted scripts and sharing campaign identifiers. Some sites rank highly in search results, misleading users about their legitimacy.
To mitigate risks, security teams should only download software from official project sites or verified repositories, verify file hashes, and monitor network connections for suspicious activities. Proactive measures are essential to counteract these evolving threats.
In conclusion, this campaign underscores the importance of vigilance and robust cybersecurity practices. As hackers continue to refine their tactics, staying informed and adopting comprehensive security strategies will be crucial in safeguarding digital environments against such deceptive threats.
