Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem

Description

A large-scale operation impersonates open-source and freeware projects to capture search traffic, targeting tools such as Ghidra, dnSpy, and SpiderFoot. The professionally designed sites load CloudFront-hosted JavaScript that converts download button clicks into handoffs to a Traffic Distribution System (TDS), which enforces strict gating including first-visit state, click confirmation, anti-bot logic, VPN filtering, and frequency capping. The ecosystem appears primarily built for traffic acquisition and monetization using legitimate ad-tech, but downstream redirect chains repeatedly led selected users to malware delivery infrastructure. The observed payloads include SessionGate (a multi-stage loader with heavy obfuscation delivering potentially unwanted applications), RemusStealer (an infostealer targeting over 20 browsers and hundreds of extensions), and AnimateClipper (a cryptocurrency clipper supporting 20+ blockchain ecosystems). Over 5,000 VirusTotal submissions indicate substantial reach across the ...