Hackers Use Fake Sites to Spread Malware via Ghid Impersonate Ghidra

Threat actors are leveraging convincing fake websites, impersonating popular security tools, to trick unsuspecting users into downloading malware.

Instead of obvious phishing pages, these sites look almost identical to real project portals, complete with professional designs and links pointing to actual GitHub repositories.

The moment a user clicks the download button, something very different happens behind the scenes.

Rather than getting the software they came for, victims are silently routed through a hidden traffic-filtering layer known as a Traffic Distribution System, or TDS.

This system acts as a gatekeeper, deciding which users get redirected to malware and which receive a harmless file. It screens for location, browser type, VPN usage, and whether a security researcher might be watching, making it extremely difficult to detect or catch in the act.

Analysts at Check Point Research investigated this large-scale campaign and found that the fake sites load a JavaScript script hosted on Amazon’s CloudFront network.

This script intercepts the very first download click and quietly hands the user off to the TDS, with no visible sign that anything unusual has occurred.

Check Point said in a report shared with Cyber Security News (CSN) that the operation specifically targets tools trusted by security professionals, including Ghidra, dnSpy, and SpiderFoot.

The campaign has been active since at least December 2025, with recorded malware delivery confirmed from early January 2026. VirusTotal telemetry shows more than 5,000 submissions tied to related samples, and researchers note the real exposure is likely much higher.

The fact that the impersonated tools are used daily by security researchers makes this campaign particularly alarming, since it targets the very people trained to spot these threats.

Three distinct malware families serve as the final payloads. RemusStealer is a newly emerged infostealer targeting data from more than 20 browsers, including cryptocurrency wallets, password managers, and two-factor authentication tools.

AnimateClipper silently monitors the clipboard and swaps copied wallet addresses with attacker-controlled ones, potentially redirecting real funds without the victim ever realizing it.

A third payload named SessionGate is a multi-stage loader with heavy obfuscation and one-time-key delivery that makes it extraordinarily difficult for analysts to examine.

Hackers Impersonate Ghidra, dnSpy, and SpiderFoot

More than 100 active fake websites have been identified in this cluster, all sharing the same CloudFront-hosted scripts and campaign identifiers.

Sites like ghidralite[.]com and dnspy[.]org appear near the top of Google results for relevant queries, lending them a false sense of authority.

When a user hovers over the download button, the browser status bar even shows a real GitHub URL, so cautious users may not notice anything is wrong.

The JavaScript loaded by these pages listens for the user’s first interaction and intercepts it before normal navigation can proceed. On Chrome it captures a mousedown event; on Firefox it uses a click event.

It then generates a TDS runtime URL, redirects the user silently, and cancels the original navigation entirely. The victim ends up somewhere completely different from where they intended, and the whole process is invisible.

SessionGate: Built to Resist Every Analyst

Among all payloads found, SessionGate stood out for how aggressively it resists analysis.

The initial downloaded file is a 7-Zip archive around 20 MB, but the actual executable inside is only 15 MB, with the remaining 5 MB being obfuscated loader code designed to break tools like IDA’s decompiler.

Functions can exceed 500 KB in size, and encrypted strings are placed inside code regions to confuse disassemblers further.

The decryption key for the final payload stage is generated server-side and released only once per victim session. If a researcher tries to replay the chain from a different IP address, the server returns a valid-looking but useless key, making the payload completely unreadable.

Security teams are strongly advised to download software exclusively from official project pages or verified repositories, verify file hashes after downloading, and actively monitor outbound connections to the C2 domains and infrastructure identified in this campaign.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.