Image by Rawpixel.com, from Freepik
New Malware Campaign Exploits SourceForge Projects to Steal Crypto & Spy on s
Reading time: 2 min
Last Updated: Apr 10, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
A new malware campaign is targeting s through SourceForge, a trusted site known for hosting open-source software projects.
In a rush? Here are the quick facts:
- Victims a fake installer containing a hidden cryptocurrency miner and ClipBanker.
- Malware sends data to attackers via Telegram API.
- Attack chain includes VB scripts, PowerShell commands, and AutoIt interpreters.
Researchers from Kaspersky uncovered a scheme where attackers use a fake project to trick people into ing malicious files disguised as office tools.
The fake project, called “officepackage,” looks harmless on the GitHub. But the related officepackage.sourceforge.io domain points to a completely different website that lists fake office apps with “” buttons.
The researchers explain that the pages are indexed by search engines, so they look legitimate in search results. But instead of useful software, s are led through a confusing maze of pages that ultimately install malware on their computers.
The ed file, named vinstaller.zip, contains hidden tools including a -protected archive, and a Windows Installer that looks large and legitimate, but is actually stuffed with junk data to fool s. When launched, it runs a script in secret that s files from GitHub, extracts malicious components, and starts spying on the device.
One of the hidden scripts sends the victim’s device details to attackers through Telegram. This includes the computer’s IP address, name, antivirus software, and even the U name.
The malware does two main things: first, it installs a cryptocurrency miner that quietly uses the computer’s resources to generate digital money for the attackers.
Second, it installs a type of malware called ClipBanker, which waits for s to copy and paste cryptocurrency wallet addresses. When they do, it replaces the wallet address with one owned by the attacker, redirecting funds to them.
The malware uses several methods to stay on the system and automatically restart even after rebooting. It hides in system folders, adds special registry keys, creates fake Windows services, and even hijacks system update tools.
To stay safe, experts strongly advise ing software only from official sources, as pirated or unofficial s always carry a higher risk of infection.
Previous Story
Latest articles
Leave a Comment
Cancel