Cybercriminals are focusing on crypto customers by exploiting SourceForge, a widely known open-source software program platform.
In line with safety specialists at Kaspersky, malicious attackers add pretend Microsoft Workplace installers filled with hidden malware, together with crypto miners and clipboard hijackers, to deceive unsuspecting customers.
They famous that whereas the SourceForge challenge pages seem official, the hazard lies of their auto-generated subdomains. In a single occasion, Russia’s Yandex search engine listed a pretend area, main unsuspecting customers to a web page full of counterfeit Workplace instruments and obtain buttons.
Information from Kaspersky signifies that greater than 4,600 incidents had been recorded within the first quarter of 2025, with 90% of the affected customers in Russia.
It was unclear if this assault had led to important monetary losses for crypto customers.
The assault
On this assault, the hackers add weaponized software program to SourceForge’s challenge pages. These pages mimic official Workplace-related instruments, however the installers include embedded scripts that ship dangerous payloads.
The entice begins with a small archive file named vinstaller.zip, solely round 7MB. That is suspicious, as real Workplace software program is considerably bigger—even when compressed.
Nonetheless, as soon as the file is unzipped, it balloons right into a 700MB installer filled with hidden scripts. These scripts silently fetch extra information from GitHub and scan the system for antivirus instruments.
If no safety is detected, the installer hundreds crypto mining software program and a clipbanker Trojan.
In line with the weblog submit:
“ClipBanker is a malware household that replaces cryptocurrency pockets addresses within the clipboard with the attackers’ personal. Customers of crypto wallets sometimes copy addresses as a substitute of typing them. If the gadget is contaminated with ClipBanker, the sufferer’s cash will find yourself someplace totally sudden.”
On the identical time, one of many scripts sends person info to a Telegram bot, giving the hacker full entry to delicate information.
This marketing campaign highlights how hackers leverage trusted platforms to bypass safety techniques and unfold malware at scale.