Full Report
A network of fake websites is trapping unsuspecting users by claiming to be official download pages for free tools like Ghidra, dnSpy, ILSpy, and CrystalDiskMark. Discovered by Check Point Research, this operation uses highly realistic portals to trick visitors into downloading malware instead of legitimate software. Usually, when open-source projects are searched on Google, users trust…
Analysis Summary
# Tool/Technique: Malicious Software Impersonation & TDS Distribution
## Overview
This technique involves the creation of a vast network of highly realistic clone websites designed to impersonate popular open-source and free software tools. The primary goal is to deceive technical users—such as developers and security researchers—into downloading malware by Masquerading as legitimate portals for utilities like Ghidra, dnSpy, and ILSpy.
## Technical Details
- **Type**: Malware Distribution Technique / Traffic Distribution System (TDS)
- **Platform**: Multi-platform (targets users of Windows-based development and analysis tools)
- **Capabilities**: Geographic gating, browser fingerprinting, VPN detection, and dynamic redirection.
- **First Seen**: June 2026 (Reported by Check Point Research)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- **T1189 - Drive-by Compromise**: Users are redirected to malicious payloads via hijacked download buttons.
- **TA0005 - Defense Evasion**
- **T1036 - Masquerading**: Cloning legitimate software sites (Ghidra, dnSpy, etc.) to gain user trust.
- **T1497.001 - Virtualization/Sandbox Evasion: System Checks**: The TDS performs browser fingerprinting and environment analysis before delivering the payload.
- **TA0007 - Discovery**
- **T1505 - Server Software Component**: Use of CloudFront-hosted JavaScript to execute redirects.
## Functionality
### Core Capabilities
- **Site Cloning**: Sophisticated replication of over 100 legitimate open-source project websites.
- **Visual Deception**: UI elements, including hovering over buttons, display legitimate GitHub URLs to bypass visual inspection by the user.
- **Traffic Redirection**: Utilizing JavaScript hosted on Amazon CloudFront to divert users from the "Download" button to a malicious backend.
### Advanced Features
- **Traffic Distribution System (TDS)**: A sophisticated "gating" mechanism that filters traffic to ensure only viable targets receive the malware.
- **Evasion Checks**: The system analyzes the visitor’s:
- **Geographic Location**: To target specific regions or avoid security researchers.
- **Browser Fingerprint**: To identify real user environments vs. automated sandboxes.
- **VPN Usage**: To detect and potentially block users attempting to hide their identity or researchers using VPNs.
## Indicators of Compromise
- **File Names**: Ghidra_setup.zip, dnSpy_v6.1.8.zip, CrystalDiskMark_Installer.exe (Note: These mimic legitimate names).
- **Network Indicators**:
- `[cdn-provider-urls].cloudfront[.]net` (Used for malicious JS hosting)
- Various de-fanged lookalike domains (e.g., `ghidra-project[.]org` clones, `dnspy[.]net` clones).
- **Behavioral Indicators**:
- Unexpected redirects after clicking download links on third-party sites.
- Execution of obfuscated JavaScript from CDN domains upon page interaction.
## Associated Threat Actors
- **Unknown**: While specific attribution is not provided in the summary, the infrastructure scale suggests a financially motivated or sophisticated cyber-espionage group targeting technical personnel.
## Detection Methods
- **Signature-based detection**: Scanning for known malicious JavaScript snippets hosted on CDNs used in this campaign.
- **Behavioral detection**: Monitoring for network redirects that deviate from the expected GitHub or official project repository domains.
- **URL Inspection**: Checking for subtle typosquatting or discrepancies in the Top-Level Domain (TLD) of the software site.
## Mitigation Strategies
- **Source Verification**: Always download open-source tools directly from official GitHub repositories or verified project homepages listed on reputable directories.
- **Link Auditing**: Use browser extensions that flag newly registered domains or known malicious URLs.
- **Corporate Hardening**: Implement web filtering policies that block access to newly registered domains (NRDs) which are frequently used in these clone networks.
- **Integrity Checking**: Always verify the SHA-256 or PGP signatures of downloaded binaries against the official project’s documentation.
## Related Tools/Techniques
- **Typosquatting**: Registering domains similar to legitimate ones.
- **SEO Poisoning**: Manipulating search engine results to place fake sites at the top of results.
- **SocGholish**: Another malware family known for using fake software updates and drive-by downloads.