Precision Impersonation: How Click-Hijacking and TDS Ecosystems Weaponize Trusted Security Tools

Cybercriminals are currently executing a sophisticated campaign that weaponizes search engine optimization (SEO) and high-fidelity web clones to distribute malware. By impersonating highly trusted open-source security tools—specifically Ghidra, dnSpy, and SpiderFoot—attackers are successfully targeting the very professionals meant to defend against them: security researchers and reverse engineers.

These fraudulent portals are meticulously crafted to mirror legitimate project branding, often referencing authentic upstream resources like GitHub to build immediate rapport with the user. According to a detailed report by Check Point Research, these sites frequently achieve high rankings in organic search results, making them appear as authoritative first-click destinations.

The Mechanics of Click-Hijacking and Traffic Distribution

The core infection logic is decoupled from the visible HTML to evade simple static analysis. Instead, the threat actors utilize a CloudFront-hosted JavaScript staging layer. This script acts as a silent interceptor, monitoring user interaction events.

The technical execution is remarkably surgical:

• Event Interception: The script hijacks the first valid user interaction. It uses browser-specific handlers—such as mousedown on Chrome or click on Firefox—to catch the user before the browser completes the intended navigation.
• Deceptive Integrity: To bypass casual inspection, the fake portals keep the original, legitimate href attributes intact. This ensures that hovering over a button reveals a legitimate URL (like a GitHub repository), while the injected script redirects the actual execution to a Traffic Distribution System (TDS).
• Stateful Evasion: The TDS employs localStorage and advanced anti-bot logic to create a “reproducibility trap.” The malicious redirect is often gated to only occur on the first click; subsequent attempts or automated sandbox inspections may fall back to the legitimate link, making the site appear benign to automated security scanners.

Downstream Payload Analysis: SessionGate, RemusStealer, and AnimateClipper

Once a victim is routed through the TDS infrastructure, the infection path diverges based on the attacker’s monetization goals. Researchers have identified three primary branches within this ecosystem:

1. The SessionGate Loader Framework

SessionGate operates as a sophisticated, multi-stage loader. It utilizes short-lived, per-client URLs hosted on Amazon S3 buckets, fronted by heavily obfuscated JavaScript to perform environmental validation. If the victim passes all checks (AV evasion, sandbox detection), the loader delivers a Windows executable containing a 7-Zip SFX archive.

The framework utilizes a unique two-DLL architecture: the primary DLL serves as a “key broker,” deriving one-time decryption keys required by the second, core payload module. This design, combined with junk instructions and encrypted strings, significantly complicates static and dynamic analysis.

2. RemusStealer (MaaS Infostealer)

Another branch of the TDS delivers a password-protected archive containing RemusStealer, a Malware-as-a-Service (MaaS) offering. This infostealer employs an encrypted tasking protocol to exfiltrate sensitive data from Chromium and Firefox browsers. Its primary targets include cookies, credentials, and specifically, browser extensions associated with cryptocurrency wallets and 2FA plugins.

3. AnimateClipper (Crypto-Clipper)

A third path utilizes “ClickFix” phishing tactics to trigger a malicious mshta-based downloader. This chain culminates in AnimateClipper, a specialized malware that uses shellcode staged through a bundled Python environment. Interestingly, AnimateClipper resolves its Command & Control (C2) infrastructure by querying a smart contract on the BNB Smart Chain testnet, a technique designed to blend malicious traffic with legitimate blockchain queries. Once active, it hijacks the system clipboard to swap cryptocurrency wallet addresses with those owned by the attacker.

Defensive Implications

The scale of this operation—evidenced by thousands of related samples on VirusTotal—indicates a highly professionalized traffic acquisition pipeline. The attackers are not just seeking any victim; they are hunting for high-privilege users within the security community.

For security professionals, this campaign serves as a stark reminder: Top Google results and professional-looking UI are no longer sufficient proxies for trust. Defenders must implement rigorous validation of download sources, monitor for anomalous DNS telemetry, and maintain a high degree of scrutiny regarding script-level behaviors, even when interacting with seemingly reputable open-source software.