- Cybercriminals have used SourceForge to distribute malware disguised as legitimate software
- The campaign has primarily targeted Russian-speaking users, with over 4,600 affected between January and March 2025
- The malware includes a cryptocurrency miner and the ClipBanker Trojan, which hijacks clipboard data to redirect cryptocurrency transactions
A recent investigation by Kaspersky has uncovered a sophisticated malware distribution campaign exploiting the software hosting platform SourceForge. Attackers have created deceptive projects to trick users into downloading malicious software, resulting in significant security breaches, particularly among Russian-speaking users. The report follows news last month that hackers are targeting blockchain developers using fake GitHub repositories.
Exploiting SourceForge’s Infrastructure
Kaspersky reports that the cybercriminals established a project named “officepackage” on SourceForge, which appeared to offer Microsoft Office add-ins sourced from a legitimate GitHub repository. While the main project page seemed authentic, the attackers utilized SourceForge’s subdomain feature to create a malicious webpage at officepackage.sourceforge[.]io.
This page displayed a list of Microsoft Office applications with download links, giving an impression of legitimacy. However, clicking these links redirected users to external sites that delivered malware-laden files. Upon downloading, users received a ZIP archive containing a password-protected installer. Executing this installer initiated a multi-stage infection process, ultimately deploying two primary types of malware:
- Cryptocurrency Miner: This malware covertly utilizes the victim’s system resources to mine cryptocurrency, leading to degraded system performance and increased energy consumption.
- ClipBanker Trojan: Also known as a clipper, this Trojan monitors the clipboard for cryptocurrency wallet addresses. When detected, it replaces the copied address with one controlled by the attacker, redirecting funds during transactions.
Russian-speaking Individuals Targeted
The campaign has predominantly targeted Russian-speaking individuals, with 90% of the 4,604 reported victims located in Russia between early January and late March 2025. The attackers leveraged search engine optimization techniques to ensure their malicious SourceForge pages appeared prominently in search results, increasing the likelihood of user engagement.
Security experts advise users to exercise caution when downloading software from online platforms, warning that it is crucial to verify the authenticity of the source and be wary of unsolicited download links. As noted in the Kaspersky report, “While the attack primarily targets cryptocurrency by deploying a miner and ClipBanker, the attackers could sell system access to more dangerous actors.” This highlights the broader risks associated with such malware, including potential unauthorized access to sensitive information.
In light of these findings, users are encouraged to rely on official sources for software downloads and maintain updated security solutions to detect and prevent malware infections.
