Open-source tool impersonation and TDS malware delivery campaign
Campaign
Summary
Hide ▲
Show ▼
A large-scale campaign is impersonating open-source and freeware project sites to route download clicks through a Traffic Distribution System (TDS) and deliver malware, putting users searching for tools like Ghidra, dnSpy, and SpiderFoot at risk.
Related Happenings
SessionGate obfuscated loader with anti-analysis pivots
Malware Activity
H score28
First: 04.06.2026 12:51
Last: 04.06.2026 12:51
Sources 1
How related:
SessionGate, a previously unknown multi-stage, obfuscated loader that's used to deliver potentially unwanted applications (PUA) while incorporating extensive anti-analysis mechanisms to throw off sandboxes by pivoting to a benign installer experience.
About this happening:
SessionGate is now identified as a multi-stage loader that uses anti-analysis and benign-installer pivots to hide payload delivery, complicating sandboxes and dete...
SessionGate obfuscated loader with anti-analysis pivots
Malware ActivityHow related: SessionGate, a previously unknown multi-stage, obfuscated loader that's used to deliver potentially unwanted applications (PUA) while incorporating extensive anti-analysis mechanisms to throw off sandboxes by pivoting to a benign installer experience.
About this happening: SessionGate is now identified as a multi-stage loader that uses anti-analysis and benign-installer pivots to hide payload delivery, complicating sandboxes and dete...
Winos 4.0 and HoldingHands RAT malware activity expanding targeting to Japan and Malaysia
Malware Activity
H score23
First: 18.10.2025 09:51
Last: 18.10.2025 09:51
Sources 1
About this happening:
The Winos 4.0 malware operation has expanded its target footprint to Japan and Malaysia through HoldingHands RAT, increasing the reach of a multi-stage phishing de...
Winos 4.0 and HoldingHands RAT malware activity expanding targeting to Japan and Malaysia
Malware ActivityAbout this happening: The Winos 4.0 malware operation has expanded its target footprint to Japan and Malaysia through HoldingHands RAT, increasing the reach of a multi-stage phishing de...
Timeline
-
04.06.2026 12:51 2 articles · 1mo ago
Initial report: Open-source tool impersonation and TDS malware delivery campaign
Initial DisclosureThe campaign first emerged as fake project portals that ranked highly in search results and diverted users through a TDS when they clicked download links. Early documentation in November 2025 showed the sites were already built to monetize traffic before the infrastructure was later repurposed for malware distribution in January 2026.
Show sources
- Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS — thehackernews.com — 04.06.2026 12:51
- Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS — thehackernews.com — 04.06.2026 12:51