Imitation OSS Portals Hijack Google Rankings to Deliver Malware via Gatekeeper Traffic System
Cybersecurity researchers flag a large-scale operation that impersonates open-source and freeware projects to funnel users through a gated Traffic Distribution System (TDS). The sites mimic legitimate tools (e.g., Ghidra, dnSpy, SpiderFoot) and rank highly on Google, then redirect a download click into a restricted TDS chain featuring anti-analysis checks and VPN/datacenter filtering. The system distributes malware families such as SessionGate (a multi-stage loader), Remus Stealer, and AnimateClipper, with the final DLL contacting a remote server to fetch an encrypted config and download the next-stage payload via cmd.exe. The campaign appears aimed at traffic monetization, but can also route real users to malicious payloads, leveraging believable URLs to boost trust while masking malicious activity.