Find notable cyber news and cases, enriched with sources, timelines, and signals.

Open-source tool impersonation and TDS malware delivery campaign

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

A large-scale campaign is impersonating open-source and freeware project sites to route download clicks through a Traffic Distribution System (TDS) and deliver malware, putting users searching for tools like Ghidra, dnSpy, and SpiderFoot at risk.

Related Happenings

SessionGate obfuscated loader with anti-analysis pivots

Malware Activity
H score28 First: 04.06.2026 12:51 Last: 04.06.2026 12:51 Sources 1

How related: SessionGate, a previously unknown multi-stage, obfuscated loader that's used to deliver potentially unwanted applications (PUA) while incorporating extensive anti-analysis mechanisms to throw off sandboxes by pivoting to a benign installer experience.

About this happening: SessionGate is now identified as a multi-stage loader that uses anti-analysis and benign-installer pivots to hide payload delivery, complicating sandboxes and dete...

Winos 4.0 and HoldingHands RAT malware activity expanding targeting to Japan and Malaysia

Malware Activity
H score23 First: 18.10.2025 09:51 Last: 18.10.2025 09:51 Sources 1

About this happening: The Winos 4.0 malware operation has expanded its target footprint to Japan and Malaysia through HoldingHands RAT, increasing the reach of a multi-stage phishing de...

Timeline

  1. 04.06.2026 12:51 2 articles · 1mo ago

    Initial report: Open-source tool impersonation and TDS malware delivery campaign

    Initial Disclosure

    The campaign first emerged as fake project portals that ranked highly in search results and diverted users through a TDS when they clicked download links. Early documentation in November 2025 showed the sites were already built to monetize traffic before the infrastructure was later repurposed for malware distribution in January 2026.

    Show sources