Cybercriminals are concentrating on crypto customers by exploiting SourceForge, a widely known open-source software program platform.
In keeping with safety consultants at Kaspersky, malicious attackers add faux Microsoft Workplace installers full of hidden malware, together with crypto miners and clipboard hijackers, to deceive unsuspecting customers.
They famous that whereas the SourceForge mission pages seem authentic, the hazard lies of their auto-generated subdomains. In a single occasion, Russia’s Yandex search engine listed a faux area, main unsuspecting customers to a web page crammed with counterfeit Workplace instruments and obtain buttons.
Knowledge from Kaspersky signifies that greater than 4,600 incidents have been recorded within the first quarter of 2025, with 90% of the affected customers in Russia.
It was unclear if this assault had led to vital monetary losses for crypto customers.
The assault
On this assault, the hackers add weaponized software program to SourceForge’s mission pages. These pages mimic authentic Workplace-related instruments, however the installers include embedded scripts that ship dangerous payloads.
The entice begins with a small archive file named vinstaller.zip, solely round 7MB. That is suspicious, as real Workplace software program is considerably bigger—even when compressed.
Nevertheless, as soon as the file is unzipped, it balloons right into a 700MB installer full of hidden scripts. These scripts silently fetch further information from GitHub and scan the system for antivirus instruments.
If no safety is detected, the installer masses crypto mining software program and a clipbanker Trojan.
In keeping with the weblog publish:
“ClipBanker is a malware household that replaces cryptocurrency pockets addresses within the clipboard with the attackers’ personal. Customers of crypto wallets sometimes copy addresses as a substitute of typing them. If the gadget is contaminated with ClipBanker, the sufferer’s cash will find yourself someplace solely sudden.”
On the identical time, one of many scripts sends consumer data to a Telegram bot, giving the hacker full entry to delicate knowledge.
This marketing campaign highlights how hackers leverage trusted platforms to bypass safety programs and unfold malware at scale.
