SessionGate obfuscated loader with anti-analysis pivots
Malware Activity
Summary
Hide ▲
Show ▼
SessionGate is now identified as a multi-stage loader that uses anti-analysis and benign-installer pivots to hide payload delivery, complicating sandboxes and detection. It is delivered through a gated TDS chain after click interception, and can retrieve an encrypted configuration before running the next stage via cmd.exe. Telemetry showing about 2,000 to 3,500 samples tied to the family suggests broader distribution than a one-off build.
Related Happenings
Open-source tool impersonation and TDS malware delivery campaign
Campaign
First: 04.06.2026 12:51
Last: 04.06.2026 12:51
Sources 1
How related:
Cybersecurity researchers have flagged a large-scale operation that impersonates open-source and freeware projects to funnel unsuspecting users through a Traffic Distribution System (TDS) and deliver malware families like Remus Stealer, AnimateClipper, and the SessionGate framework.
About this happening:
A **large-scale campaign** is impersonating **open-source and freeware project sites** to route download clicks through a **Traffic Distribution System (TDS)** and deliver malware...
Open-source tool impersonation and TDS malware delivery campaign
CampaignHow related: Cybersecurity researchers have flagged a large-scale operation that impersonates open-source and freeware projects to funnel unsuspecting users through a Traffic Distribution System (TDS) and deliver malware families like Remus Stealer, AnimateClipper, and the SessionGate framework.
About this happening: A **large-scale campaign** is impersonating **open-source and freeware project sites** to route download clicks through a **Traffic Distribution System (TDS)** and deliver malware...
AshTag modular .NET backdoor deployment via sideloading
Malware Activity
First: 11.12.2025 13:00
Last: 11.12.2025 13:00
Sources 1
About this happening:
The **AshTag** backdoor was deployed through **DLL sideloading** and **in-memory execution**, enabling **persistence** and **remote command execution** in targeted environments. I...
AshTag modular .NET backdoor deployment via sideloading
Malware ActivityAbout this happening: The **AshTag** backdoor was deployed through **DLL sideloading** and **in-memory execution**, enabling **persistence** and **remote command execution** in targeted environments. I...
Timeline
-
04.06.2026 12:51 2 articles · 1h ago
SessionGate loader uses gated TDS to deliver malware from fake project portals
Initial DisclosureCheck Point identified a large-scale operation that impersonates open-source and freeware project portals, uses a CloudFront-hosted JavaScript staging layer and a Traffic Distribution System (TDS) to intercept the first download click, and then selectively routes users to malware delivery infrastructure. The same chain is associated with SessionGate, a previously unknown multi-stage, obfuscated loader that pivots to a benign installer experience for anti-analysis, retrieves an encrypted configuration, and executes the next stage via cmd.exe; the operation also delivered Remus Stealer and AnimateClipper, with telemetry showing approximately 2,000 to 3,500 SessionGate submissions, activity dating back to September 2025, an early iteration documented in November 2025, and repurposing for malware distribution starting January 2026.
Show sources
- Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS — thehackernews.com — 04.06.2026 12:51
- Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS — thehackernews.com — 04.06.2026 12:51