Unmasking the SourceForge Malware Campaign: A Deceptive Attack on Users

A recent investigation has uncovered a sophisticated malware campaign that abuses SourceForge, a popular platform for hosting and distributing software. The attackers use a clever tactic, exploiting SourceForge’s subdomain feature to create fake webpages, tricking users into downloading harmful software. This article delves into how this campaign works, its infection chain, and the persistent threat it poses.

The Attack: Exploiting SourceForge’s Subdomain System

The attack begins with a seemingly harmless project named “officepackage,” which is hosted on SourceForge. While the official project page on SourceForge mirrors legitimate Microsoft Office add-ins from GitHub, the attackers take advantage of the subdomain feature to host a malicious version of the project under the address officepackage.sourceforge[.]io.

This malicious subdomain is indexed by search engines, making it easier for unsuspecting users searching for office-related software to stumble upon it. The page appears almost identical to the official one, but upon closer inspection, users will notice that the “Download” buttons lead to URLs associated with another SourceForge project named “loading.” This is part of the attackers’ strategy to disguise the true origin of the malicious software.

By clicking on these links, users are redirected through multiple pages before eventually downloading a suspicious archive named vinstaller.zip.

Infection Chain: A Multi-Layered Approach

Once the user downloads vinstaller.zip, the infection chain begins. The archive contains a password-protected file (installer.zip) along with a Readme.txt file that provides the password. Upon extraction, users find an inflated Windows Installer file (installer.msi) that appears legitimate but is padded with junk data.

When the installer is executed, it kicks off a series of malicious activities:

Embedded Scripts Execution: The installer runs a Visual Basic script that downloads and executes a batch file (confvk) from GitHub.
Batch File Operations: The batch script performs system checks to avoid detection and unpacks additional malicious files, executing PowerShell scripts.
Data Exfiltration and Malware Deployment: A PowerShell script sends system information to the attackers via Telegram, while another script downloads a secondary batch file (confvz) to deploy more malware components.
Malware Components: These include AutoIt scripts embedded in DLL files, a cryptocurrency wallet hijacker (ClipBanker), and a cryptocurrency miner. The components are designed to be persistent, using techniques like registry modifications, scheduled tasks, and Windows Management Instrumentation Command-line (WMIC) utilities.

Advanced Persistence Mechanisms

The attackers use several advanced techniques to maintain control over infected systems:

Registry Key Manipulation: The attackers link malicious scripts to commonly used executable names, allowing the malware to execute stealthily.
Service Creation: Custom services are created to ensure batch files and the AutoIt interpreter start automatically.
WMIC Event Filters: The attackers create event filters to trigger malicious commands at regular intervals, keeping the system under their control.
Exploitation of OS Utilities: The attackers also exploit Windows’ Setup utility (Setup.exe) and error-handling mechanisms to create additional startup methods.

These persistent methods ensure that the malware remains active on the system long after the initial infection, making it harder for users to detect and remove.

Aimed at Financial Gain

This campaign is particularly targeted at Russian-speaking users, with telemetry data indicating that 90% of the affected individuals are based in Russia. From January to March 2025, over 4,600 users were exposed to this threat. The primary objective appears to be financial profit through cryptocurrency theft and mining, with the potential for even more severe exploitation if the attackers sell system access to other cybercriminals.

What Undercode Says:

The SourceForge malware campaign highlights a concerning trend in cybersecurity: the exploitation of trusted platforms to distribute malicious software. SourceForge, a platform that many developers and users trust, was used in a highly sophisticated manner to create a fake version of a legitimate software project. By leveraging the subdomain feature and mimicking legitimate software, the attackers were able to deceive users into downloading malware.

This attack is also notable for its multi-layered infection chain, which includes the use of password-protected files, fake installers, and complex scripts designed to evade detection. This kind of intricate approach demonstrates the growing sophistication of cybercriminals and their ability to stay one step ahead of traditional security measures.

The use of PowerShell scripts, AutoIt scripts, and registry key manipulation shows that these attackers are well-versed in Windows internals and can utilize a variety of methods to maintain persistence on infected systems. By making their malware harder to detect and remove, they increase the chances of successful exploitation.

Moreover, the targeting of Russian-speaking users is not surprising, given the geopolitical context. However, this attack could easily be adapted to target users in other regions. The broader implications of this campaign are clear: it underscores the importance of maintaining vigilance when downloading software from the internet and always ensuring that the source is trustworthy.

Fact Checker Results

Legitimate Software Source: SourceForge, while generally trusted, was exploited by attackers to distribute malicious software.
Sophistication of the Attack: The malware campaign uses advanced persistence mechanisms and multi-stage infection methods.
Targeted Demographics: The campaign predominantly affects Russian-speaking users, but could potentially expand to other regions.