Open-source tool impersonation and TDS malware delivery campaign
Campaign
Summary
Hide ▲
Show ▼
A large-scale campaign is impersonating open-source and freeware project sites to route download clicks through a Traffic Distribution System (TDS) and deliver malware, putting users searching for tools like Ghidra, dnSpy, and SpiderFoot at risk.
Related Happenings
SessionGate obfuscated loader with anti-analysis pivots
Malware Activity
First: 04.06.2026 12:51
Last: 04.06.2026 12:51
Sources 1
How related:
SessionGate, a previously unknown multi-stage, obfuscated loader that's used to deliver potentially unwanted applications (PUA) while incorporating extensive anti-analysis mechanisms to throw off sandboxes by pivoting to a benign installer experience.
About this happening:
**SessionGate** is now identified as a **multi-stage loader** that uses **anti-analysis** and **benign-installer pivots** to hide payload delivery, complicating sandboxes and dete...
SessionGate obfuscated loader with anti-analysis pivots
Malware ActivityHow related: SessionGate, a previously unknown multi-stage, obfuscated loader that's used to deliver potentially unwanted applications (PUA) while incorporating extensive anti-analysis mechanisms to throw off sandboxes by pivoting to a benign installer experience.
About this happening: **SessionGate** is now identified as a **multi-stage loader** that uses **anti-analysis** and **benign-installer pivots** to hide payload delivery, complicating sandboxes and dete...
Winos 4.0 and HoldingHands RAT malware activity expanding targeting to Japan and Malaysia
Malware Activity
First: 18.10.2025 09:51
Last: 18.10.2025 09:51
Sources 1
About this happening:
The **Winos 4.0** malware operation has expanded its target footprint to **Japan** and **Malaysia** through **HoldingHands RAT**, increasing the reach of a multi-stage phishing de...
Winos 4.0 and HoldingHands RAT malware activity expanding targeting to Japan and Malaysia
Malware ActivityAbout this happening: The **Winos 4.0** malware operation has expanded its target footprint to **Japan** and **Malaysia** through **HoldingHands RAT**, increasing the reach of a multi-stage phishing de...
Timeline
-
04.06.2026 12:51 2 articles · 1h ago
Initial report: Open-source tool impersonation and TDS malware delivery campaign
Initial DisclosureThe campaign first emerged as **fake project portals** that ranked highly in search results and diverted users through a **TDS** when they clicked download links. Early documentation in **November 2025** showed the sites were already built to monetize traffic before the infrastructure was later repurposed for malware distribution in **January 2026**.
Show sources
- Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS — thehackernews.com — 04.06.2026 12:51
- Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS — thehackernews.com — 04.06.2026 12:51