Fake Ghidra, dnSpy & SpiderFoot Sites Used to Spread Malware

Hackers are abusing search results and professional-looking fake download portals to distribute malware by impersonating popular security tools like Ghidra, dnSpy, and SpiderFoot.

These sites capture users’ first click on a “Download” button and silently hand it to a traffic distribution system (TDS) that can route victims to infostealers, clippers, and a sophisticated loader framework dubbed “SessionGate”.

These lookalike portals are well-designed, often reference real upstream resources such as GitHub, and, in some cases, rank surprisingly high in search results for related queries.

The core monetization and infection logic does not live in the visible HTML but in a CloudFront‑hosted JavaScript staging layer embedded on the pages.

When a user clicks what appears to be a legitimate download link, this script can hijack the event and redirect the browser into a TDS infrastructure that decides, per session, whether to serve benign software, potentially unwanted applications (PUAs), or outright malware.

The fake portals keep the original download href intact, often pointing to legitimate project locations, so status-bar previews and casual inspection look normal.

At the same time, an injected CloudFront script intercepts the first eligible click via browser‑specific handlers (for example, mousedown on Chrome and click on Firefox) and replaces the navigation with a TDS-controlled URL, using techniques like cached window: open, synthetic clicks, and temporary blank tabs.

Checkpoint said in a report shared with GBhackers, uncovered a large-scale operation built around cloned websites for open‑source and freeware projects, including high‑trust tools used by security researchers such as Ghidra, dnSpy, and SpiderFoot.

Routing decisions are stateful and gated by localStorage and anti-bot logic, meaning only the first click may be malicious while repeated attempts fall back to the visible, legitimate link, creating a reproducibility trap for analysts.

The TDS then fans out through multiple redirectors and content lockers, with branches that can end in affiliate installs of legitimate software, PUA bundles, or malware payloads.

Identified entry domains include impersonations such as ghidralite.com and dnspy.org among more than 100 active sites embedding the same campaign scripts.

Downstream of this TDS stack, researchers observed several malware families, including RemusStealer, AnimateClipper, and a previously unknown framework named SessionGate.

SessionGate stands out as a multi‑stage loader chain delivered via short‑lived, per‑client URLs from Amazon S3 buckets, fronted by obfuscated JavaScript that validates the victim before allowing access to the Windows executable.

The SessionGate loader embeds a 7‑Zip SFX archive and can pivot to a benign installer UI when gating conditions are not met, while heavily obfuscated code, junk instructions, and encrypted strings frustrate static analysis.

It performs extensive environment and AV checks, contacts dedicated C2 infrastructure with signed requests, and uses a two‑DLL architecture where the first DLL acts as a “key broker” to derive one‑time decryption keys for the second, core payload module.

The decrypted module behaves as a server‑driven installer framework capable of silently downloading and executing additional software, making it a flexible delivery vehicle for future malware.

In another branch, the TDS chain ends with a password‑protected archive that ultimately launches RemusStealer, a MaaS infostealer advertised on underground forums.

RemusStealer uses an encrypted tasking protocol to exfiltrate browser data from Chromium and Firefox, including cookies, passwords, and vault material, and it specifically targets hundreds of browser extensions, with heavy focus on cryptocurrency wallets, password managers, and 2FA plugins.

A third branch leads to a ClickFix‑style phishing page that tricks victims into running a malicious mshta‑based downloader chain, which ends in a crypto‑clipper known as AnimateClipper.

This clipper uses shellcode staged through a bundled Python environment and resolves its C2 by querying a smart contract on the BNB Smart Chain testnet, then hijacks clipboard wallet addresses and swaps them for attacker-controlled wallets embedded in the binary.

Impersonating Ghidra, dnSpy, and SpiderFoot gives the operators access to a particularly attractive victim profile: security researchers, reverse engineers, and technically inclined users who often have elevated privileges and access to sensitive environments.

The campaign’s scale, reflected in thousands of public VirusTotal submissions across related samples, suggests that this is primarily a traffic acquisition and monetization pipeline whose feeds are selectively sold or routed to malware distributors.

Because the fake portals closely mimic legitimate project branding and preserve real repository links, “top Google result plus official‑looking website” is no longer a reliable safety signal.

For defenders, this campaign illustrates how TDS‑based ecosystems blur the line between gray monetization and overt malware distribution, and why strict validation of download sources, DNS telemetry, and script‑level behaviors is now critical even for well-known security tools.

IOCs

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.