In brief: Attackers operate highly ranked fake pages for tools like Ghidra and dnSpy on Google, redirect users through TDS-controlled JavaScript to malware servers, and evade security analysis by filtering VPNs, data centers, and repeated access.
Check Point documents a large-scale campaign in which attackers clone web presences of well-known open-source projects and abuse them as malware distribution channels via search engine ranking. The underlying traffic distribution system deliberately filters out security researchers and automated analysis tools.
Security researchers at Check Point have documented a cyberattack campaign that imitates well-known open-source and freeware projects. The manipulated web pages are deliberately optimized for search engine ranking and frequently appear in Google search results above the legitimate manufacturer websites. Security and reverse-engineering tools such as Ghidra, dnSpy, and SpiderFoot are particularly affected. According to Fullstory, the initial phases of the campaign launched in September 2025 and primarily served to generate ad revenue. From January 2026 onward, the infrastructure was converted to malware distribution.
The counterfeit pages are visually high-quality and partially reference legitimate upstream resources. A central deception feature: hovering over the download button displays the correct URL of the genuine project, suggesting trustworthiness. However, the actual click aborts the download through JavaScript served via CloudFront and redirects it to a traffic distribution system (TDS). This TDS acts as a control instance and applies strict filtering rules: it checks visitor status, blocks IP addresses from data centers and VPN connections, implements anti-bot logic, and limits access frequency per IP. Users who fail this check receive harmless software such as the Opera browser or legitimate extensions to obscure the actual malware.
Visitors who successfully pass the filtering receive user-specific malware. The campaign currently distributes primarily the SessionGate malicious software: a multi-stage, heavily obfuscated loader with extensive anti-analysis capabilities. It features sandbox evasion techniques, simulates legitimate installation routines, and loads additional malware after establishing connections to external servers. This is then executed in the background via cmd.exe. According to VirusTotal, SessionGate records between 2,000 and 3,500 submissions, predominantly from Germany, France, and Poland. The campaign demonstrates how attackers combine SEO manipulation, social engineering, and technical evasion to circumvent legitimate security tools.
Source: www.it-daily.net · Published June 10, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.