Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem

What Happened

Attackers are creating fake websites that look exactly like official pages for popular free software tools. When a user clicks the download button, hidden scripts hijack the click and redirect them through a filtering system that checks if they are a real target. If the user passes the checks, they are tricked into downloading malicious programs that can steal passwords, hijack cryptocurrency transactions, or install unwanted software. This matters because even careful users searching for legitimate tools can be compromised. To stay safe, users should always verify they are downloading software from the official source, such as the actual GitHub repository, and organizations should monitor for unexpected network redirects during software downloads.

Key Takeaways

• A large-scale operation is impersonating open-source and freeware projects (e.g., Ghidra, dnSpy) to capture search traffic and distribute malware.
• The campaign uses CloudFront-hosted JavaScript to hijack download clicks and route users through a Traffic Distribution System (TDS).
• The TDS enforces strict gating, including anti-bot checks, VPN filtering, and frequency capping, to selectively deliver payloads.
• Delivered malware includes the SessionGate multi-stage loader, RemusStealer (an infostealer targeting browsers and crypto wallets), and AnimateClipper.
• SessionGate employs heavy obfuscation, server-side registration, and one-time key release to severely hinder automated and manual analysis.

Affected Systems

• Windows
• Chromium-based browsers
• Firefox
• Cryptocurrency wallets
• Password managers

Attack Chain

The attack begins when a user visits a fake open-source project website and clicks a download link. A CloudFront-hosted JavaScript intercepts the click and redirects the user through a Traffic Distribution System (TDS) that performs environment and bot checks. Depending on the user's profile, the TDS delivers various payloads, such as the SessionGate loader, which uses one-time keys and heavy obfuscation to drop unwanted applications. Alternatively, users may receive RemusStealer to exfiltrate browser and crypto wallet data, or be directed to a ClickFix phishing page that uses mshta.exe to execute AnimateClipper, a clipboard-hijacking cryptocurrency stealer.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.), but outlines behavioral indicators and infrastructure patterns for hunting.

Detection Engineering Assessment

EDR Visibility: High — EDRs can detect mshta.exe making external network connections, manual PE mapping in memory, and suspicious child processes spawned from browsers or temporary directories. Network Visibility: Medium — While C2 traffic is encrypted (HTTPS) or uses custom protocols, the initial TDS redirects, mshta.exe downloads, and smart contract RPC queries (Binance Smart Chain) can be monitored. Detection Difficulty: Moderate — The heavy use of obfuscation, one-time keys, and legitimate CDN infrastructure (CloudFront) makes static analysis and network blocking difficult, but the behavioral execution chain (e.g., mshta.exe) is highly anomalous.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon Event ID 1)
• Network Connections (Sysmon Event ID 3)
• DNS Queries (Sysmon Event ID 22)

Hunting Hypotheses

Control Gaps

• Automated sandbox analysis (due to file inflation and one-time key gating)
• Static AV scanning (due to heavy obfuscation and manual PE mapping)

Key Behavioral Indicators

• mshta.exe making external HTTP requests
• Executables with massive zero-filled padding (inflation)
• Processes querying DPAPI (CryptUnprotectData) and accessing multiple browser extension directories

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider blocking the identified C2 domains and IP addresses at the network perimeter.
• Evaluate whether to block or restrict the execution of mshta.exe if it is not required for business operations.

Infrastructure Hardening

• Consider implementing DNS filtering to block known malicious TDS redirectors and newly registered domains.
• If applicable, restrict outbound network access from endpoints to public cryptocurrency RPC nodes.

User Protection

• Consider deploying browser extensions or endpoint controls that warn users when visiting newly observed or low-reputation domains.
• Evaluate enforcing application control policies to prevent the execution of unsigned binaries downloaded from the internet.

Security Awareness

• Consider training developers and engineers to verify software downloads by checking digital signatures and using official package managers or repositories.
• Evaluate incorporating examples of 'ClickFix' fake verification screens into security awareness training.

MITRE ATT&CK Mapping

• T1036.005 - Masquerading: Match Legitimate Name or Location
• T1059.005 - Command and Scripting Interpreter: Visual Basic
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1218.005 - System Binary Proxy Execution: Mshta
• T1027.002 - Obfuscated Files or Information: Software Packing
• T1055.001 - Process Injection: Dynamic-link Library Injection
• T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
• T1115 - Clipboard Data
• T1566.002 - Phishing: Spearphishing Link

Additional IOCs

• Domains:
  • ghidralite[[.]]com - Impersonated Ghidra project website
  • dnspy[[.]]org - Impersonated dnSpy project website
  • ilspy[[.]]org - Impersonated ILSpy project website
  • grpcurl[[.]]com - Impersonated gRPCurl project website
  • mqttexplorer[[.]]com - Impersonated MQTT Explorer project website
  • mfcmapi[[.]]com - Impersonated MFCMAPI project website
  • winsetupfromusb[[.]]org - Impersonated WinSetupFromUSB project website
  • crystaldiskmark[[.]]org - Impersonated CrystalDiskMark project website
  • guiformat[[.]]com - Impersonated GUIFormat project website
  • oundhertobeconsist[[.]]org - TDS post-click redirector domain
  • ukentaspectsofc[[.]]org - TDS pixel/tracking domain
  • trkscope[[.]]xyz - TDS multi-gate redirector domain
  • file-enter-web[[.]]com - TDS anti-bot gate domain
  • media[.]stellarcloudhub1[[.]]cfd - TDS download gate domain
  • arch2[.]maxdatahost1[[.]]cyou - TDS download gate domain
  • originaldownloads[[.]]info - SessionGate landing page
  • getfluxfile[[.]]com - SessionGate landing page
  • javascriptapiusa[[.]]com - SessionGate server-side validation API
  • appgetonline[[.]]com - SessionGate C2 server
  • webinnosetup[[.]]com - SessionGate C2 server
  • appmakingcenter[[.]]com - SessionGate C2 server
  • yourfastcrc[[.]]com - SessionGate CRC key broker C2 server
  • mobileversioncrc[[.]]com - SessionGate CRC key broker C2 server
  • integritycrc[[.]]com - SessionGate CRC key broker C2 server
  • io[.]hugo-lapp[[.]]lat - AnimateClipper C2 server
  • cw[.]hugo-lapp[[.]]lat - AnimateClipper C2 server
  • st[.]hugo-lapp[[.]]lat - AnimateClipper C2 server
  • td[.]hugo-lapp[[.]]lat - AnimateClipper C2 server
  • fd[.]hugo-lapp[[.]]lat - AnimateClipper C2 server
  • ed[.]hugo-lapp[[.]]lat - AnimateClipper C2 server
  • flame-guard[[.]]cc - AnimateClipper C2 server
  • carlessclapped[[.]]com - AnimateClipper C2 server
• Urls:
  • hxxps://d33f51dyacx7bd[.]cloudfront[.]net/?aydfd=1237183 - CloudFront-hosted TDS staging script
  • hxxps://dcbbwymp1bhlf[.]cloudfront[.]net/?wbbcd=1236609 - CloudFront-hosted TDS staging script
  • hxxps://s3[.]us-east-2[.]amazonaws[.]com/marketstagofortdas/ehjm145uvt/Download_Ready_461049.exe - SessionGate payload download URL
  • hxxp://buccstanor[.]pics:28313 - RemusStealer C2 endpoint
  • hxxp://217[.]156[.]122[.]75:1378 - RemusStealer C2 endpoint
  • hxxp://intem[.]lat:9592 - RemusStealer C2 endpoint
  • hxxp://ropea[.]top:28313 - RemusStealer C2 endpoint
  • hxxp://forestoaker[.]com:6290 - RemusStealer C2 endpoint
  • hxxp://buccstanor[.]pics:48261 - RemusStealer C2 endpoint
  • hxxp://94[.]231[.]205[.]229:28313 - RemusStealer C2 endpoint
  • hxxp://gluckcreek[.]online:48261 - RemusStealer C2 endpoint
  • hxxps://cdn-1415[.]brightcanvas[.]digital/fo0suc2ki2.rtf - AnimateClipper payload download URL
• File Hashes:
  • 74091f5a8746a1c68d73e1fc1e4e1ff514632ee3f632a8b306f35dabae2d2b64 (SHA256) - SessionGate Stage 1
  • 15e6df0c95f2147952308e640d55270e9d097639eaebb34d4b352415f1c6bceb (SHA256) - SessionGate Stage 1
  • 3bb92771e287aa0a8bdd8e5b5bb697427223eaefded3d9b64b5d5c32ad40f3c2 (SHA256) - SessionGate Stage 1
  • cbad672d9bd06ce91ce465d049e50696fbaec9d209ca0ab1fd814d993d04bc9b (SHA256) - SessionGate Stage 1 and Stage 2 DLL #1
  • 4cdb1f7ac502289119f7f8256f00baaa994e6ecfb4000dcf5e1c46073508fcb3 (SHA256) - SessionGate Stage 2
  • ce0888df5e28716432013a8ae002437bd3e993fbe8362c5ff9efbddabfe0ab77 (SHA256) - SessionGate Stage 2 DLL #1
  • 26f2abfc254a59c2386dd46dca16744f7147a0f0366cb6008e1d53219175f44c (SHA256) - SessionGate Stage 2 DLL #2
  • 87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886 (SHA256) - AnimateClipper
  • 2e842eab0c16ddd1a2ec4a56610adb58d115b65a1e08e9b67e7e375f8eed0873 (SHA256) - RemusStealer
• File Paths:
  • D:\code\cpp-downloader-scb-reg-other\Plugins\7ZipDownloader\Output\SFXWin.pdb - PDB path found in SessionGate Stage 2 binary
• Command Lines:
  • Purpose: Executes a remote HTA payload using the built-in mshta utility as part of the ClickFix infection chain. | Tools: mshta.exe | Stage: Execution | mshta.exe https://