"The deception is not in the page content alone, it's in what happens when a user interacts," Check Point researcher Alexey Bukhteyev said, summarizing a campaign that impersonates legitimate open‑source and freeware projects to funnel visitors into malware distribution paths.
How counterfeit open‑source portals deceive users
Researchers say the operation creates well‑designed sites that mimic trusted project portals — sometimes preserving real GitHub links and referencing upstream resources — so they pass a quick visual check. Targets include legitimate reverse‑engineering and security tools such as Ghidra, dnSpy, and SpiderFoot. On first glance these pages appear plausible; the deception comes when a user clicks a download button or link.
Traffic Distribution System (TDS): gating, click interception, and benign decoys
Check Point found that the counterfeit pages load a CloudFront‑hosted JavaScript staging layer which converts a download click into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first‑visit state, mandatory click confirmation, anti‑bot and anti‑analysis logic, VPN/datacenter filtering, and frequency capping. Hovering over a download button often shows the legitimate upstream URL, strengthening the illusion.
The redirect chains are engineered to serve different outcomes depending on visitor behavior and repetition: repeated attempts from the same IP address can yield benign software such as the Opera browser or unnecessary browser extensions, while a single, correctly gated flow can hand the user to malicious payload delivery. Check Point concluded that the operators’ primary objective is likely traffic acquisition and monetization, but that the same pipeline can selectively route users to malware distributors.
SessionGate, Remus Stealer, and AnimateClipper: the delivered payloads
Beginning in January 2026 the TDS infrastructure was repurposed to deliver multiple malware families, according to Check Point. The campaign distributes at least three distinct threats:
- SessionGate — a previously unknown, multi‑stage, obfuscated loader used to deliver potentially unwanted applications (PUA). SessionGate incorporates extensive anti‑analysis mechanisms intended to mislead sandboxes by pivoting to a benign installer experience. The final DLL in the SessionGate chain communicates with an external server, retrieves an encrypted configuration, extracts a download URL from that configuration, and then downloads and silently executes the next‑stage malware via "cmd.exe." VirusTotal telemetry has shown approximately 2,000 to 3,500 submissions of SessionGate samples to date, with most submissions originating from Turkey, Poland, Brazil, Germany, France, Russia, and the U.K.
- Remus Stealer — a new information stealer offered under a malware‑as‑a‑service model. Remus can steal data from more than 20 browsers, and from hundreds of browser extensions and applications, including cryptocurrency wallets, two‑factor authentication tools, and password managers. Check Point notes Remus is believed to be a variant of the Lumma Stealer.
- AnimateClipper — a cryptocurrency clipper that substitutes wallet addresses copied to the clipboard, hijacking transactions across more than 20 blockchain ecosystems. Check Point reports AnimateClipper is delivered via a ClickFix lure.
Search‑engine rankings and timeline: September 2025 to January 2026
Fullstory documented an early iteration of the campaign in November 2025 and reported that activity appears to have been ongoing since September 2025. Fullstory — described in the coverage as an Atlanta‑based company — noted the domains focused on gaining favorable search engine rankings by leveraging the names, brands, and popularity of real projects; many bogus sites ranked in the top Google results for relevant search terms, often eclipsing the real project sites. Initially, there was no indication the domains were used maliciously beyond driving traffic and hosting third‑party advertising, but Check Point found TDS scripts were embedded not long after and the infrastructure began delivering malware in January 2026.
What this means for technologists, open‑source maintainers, and end users
- Technologists and security teams: The TDS' anti‑analysis and gating behavior—first‑visit logic, VPN/datacenter filtering, and sandbox evasion—means detection and reproduction of the full redirect and payload chain requires live, gated interaction rather than passive analysis alone.
- Open‑source maintainers: Because counterfeit pages preserve legitimate links and references, maintainers should watch for duplicate domains and search‑engine abuses that rank fake mirrors above official project pages and consider notifying platform operators and registrars when impersonation appears.
- End users: Search results that surface project downloads can be manipulated; hovering over download links may reveal legitimate URLs, but that visual cue can be weaponized. Single, careful downloads from official project pages or verified repositories reduce the chance of being funneled into a TDS chain.
The campaign illustrates how search‑surfaced trust — good branding, accurate links, and a convincing page — can be combined with sophisticated distribution plumbing to deliver malware selectively. Check Point’s findings tie content‑generation and monetization goals to a delivery pipeline that, after being retrofitted with TDS scripts, began funneling users to SessionGate, Remus Stealer, AnimateClipper, and other downstream consumers starting in January 2026. The question now is not whether search traffic can be bought or spoofed, but which actors are buying access to these gated pipelines and how that traffic will be routed next.
