Wednesday, May 7, 2025
Homecyber securityAttackers Exploit SourceForge Platform to Distribute Malware

Attackers Exploit SourceForge Platform to Distribute Malware

Published on

SIEM as a Service

Follow Us on Google News

A recent malware distribution scheme has been uncovered on SourceForge, the popular software hosting and distribution platform.

Cybercriminals have leveraged SourceForge’s subdomain feature to deceive users with fake downloads of software applications, embedding malicious files into the infection chain.

This attack, primarily targeting Russian-speaking users, has raised alarms within the cybersecurity community for its level of complexity and persistence techniques.

- Advertisement - Google News

Exploitation of SourceForge Domains

The campaign starts with a seemingly legitimate software project called “officepackage” hosted on SourceForge.net.

SourceForge Platform
Description of the “officepackage” project

The description and files of “officepackage” appear genuine, mimicking Microsoft Office add-ins from GitHub.

What makes this operation unique is the attackers’ exploitation of SourceForge’s feature that generates subdomains (e.g., officepackage.sourceforge[.]io) for hosted projects.

These subdomains are well-indexed by search engines, lending credibility to malicious pages created by the attackers.

On the officepackage.sourceforge[.]io domain, visitors are presented with an enticing list of office applications accompanied by “Download” buttons.

Hovering over these buttons reveals misleading URLs, such as loading.sourceforge[.]io/download.

Clicking these buttons initiates a multi-step malware infection chain, leading users to download a suspicious 7MB archive named “vinstaller.zip.”

The Infection Process

Inside “vinstaller.zip” lies a password-protected archive (“installer.zip”) and a text file disclosing the password.

SourceForge Platform
Contents of the RAR archive

Once extracted, the archive contains an oversized Windows Installer file named “installer.msi,” inflated with null bytes to falsely appear legitimate.

Executing this installer triggers various activities, including the creation of several files, the execution of embedded scripts, and communication with external servers.

A Visual Basic (VB) script embedded in the installer plays a crucial role, using PowerShell to download and execute a batch file named “confvk” from GitHub.

This batch file works as an intermediary, unpacking additional malware components, running scripts, and paving the way for advanced persistence mechanisms.

Notably, the payload includes two PowerShell scripts: one that extracts system information and sends it to a Telegram server, and another that downloads a subsequent batch file, “confvz,” orchestrating further infection steps.

The attackers have employed multiple persistence methods to secure access to compromised systems.

These include the creation of Windows services (e.g., NetworkConfiguration, PerformanceMonitor), registry modifications, and the use of the WMIC tool to establish event filters for recurrent malware execution.

The confvz batch file organizes malware components into subdirectories and executes AutoIt scripts contained within DLLs, facilitating the deployment of sophisticated malware types.

According to the Report, two notable payloads ClipBanker and a cryptocurrency mining module are injected into the system.

ClipBanker manipulates clipboard data to replace cryptocurrency wallet addresses, redirecting funds to attackers’ wallets.

Additional measures, such as leveraging debugging tools and exploiting OS installation scripts, further demonstrate the attackers’ ingenuity in ensuring their malware remains active.

Telemetry data indicates that 90% of the victims are located in Russia, reflecting a strong focus on Russian-speaking users.

Between January and March 2025, over 4,600 users encountered the scheme.

While the primary aim appears to be cryptocurrency theft, the attackers may also sell access to infected systems to other threat actors.

This campaign underscores the dangers of downloading software from unofficial sources. Users are advised to obtain software exclusively from trusted platforms and vendors.

SourceForge, while a reputable hosting platform, has unintentionally become a vector for malware distribution due to its subdomain creation feature.

Organizations must enhance their defenses against increasingly sophisticated threats like this.

Antivirus solutions, network filtering, and employee training on phishing and malware avoidance are critical measures to mitigate risks.

As attackers continue to refine their methods, vigilance and preventive cybersecurity practices are essential to safeguard both individuals and enterprises from such malicious campaigns.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...