Malicious Traffic Routing Stack Exploited to Spread Global Malware

Cloned Portals Hijack Open-Source Search Traffic

Cybercriminals are finding innovative ways to exploit standard internet search habits. Recently, a major discovery revealed how threat actors hijack traffic meant for trusted open-source utilities. This deceptive operation uses polished clone websites to trick technical professionals into downloading malware. According to a new Check Point research report, the campaign relies heavily on complex malicious traffic routing to hide from automated analysis tools. Consequently, security experts are warning defenders to verify their download sources carefully.

The Mechanics of Click Interception

The large-scale campaign specifically targets critical applications used daily by software engineers and IT defenders. For example, the threat actors built highly convincing clone portals for reverse-engineering tools like Ghidra, dnSpy, and SpiderFoot. These portals look completely identical to official project pages at a first glance. In fact, they even display legitimate links to real upstream GitHub repositories to fool observant visitors. However, the real danger begins when a user clicks the interactive download link. Instead of fetching the clean utility, the website immediately initiates an invisible web-redirection sequence.

To achieve this stealth, the fraudulent platforms host malicious scripts inside trusted cloud infrastructure. Specifically, the setup uses legitimate content delivery network services to execute the code. When a user clicks the download button, a background script intercepts the primary click event. Next, it rapidly cancels the original safe browser navigation path. This mechanism lets the operators steer the user onto a path defined by their backend infrastructure. Therefore, the simple act of downloading code exposes the local machine to severe risk.

Inside the Gated Traffic Distribution System

The core engine behind this operation is a sophisticated Traffic Distribution System, or TDS. This filtering platform acts as an intelligent traffic broker between different cybercriminal networks. Furthermore, the system evaluates each incoming web visitor against very strict operational criteria. According to the comprehensive Check Point research report:

“The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping.”

Consequently, casual investigators or automated scanners only see harmless, misconfigured pages rather than active malware nodes.

Dynamic Gating Triggers Evasion Logic

This dynamic gating strategy creates an incredibly difficult environment for incident response teams. Because the system checks browser cookies and local environment variables, it actively prevents repeated analysis. For example, the initial click might deliver a dangerous file, but a secondary click will load a benign application. This intentional variation creates a complex trap for malware researchers. As a result, standard security tools frequently miss the underlying threat because the payload vanishes on return visits.

A Varied Ecosystem of Downstream Payloads

Depending on the victim’s profile, the malicious traffic routing engine can deliver several distinct outcomes. In some observed cases, the infrastructure simply funnels traffic to advertising portals for quick monetization. Alternatively, the routing path pushes unwanted browser extensions onto the victim’s device. However, the most dangerous redirect paths end at malicious storage nodes. Ultimately, the ecosystem distributes three distinct malware families: a stealthy framework called SessionGate, an infostealer named RemusStealer, and a cryptocurrency clipper.

SessionGate and Deep Code Obfuscation

The SessionGate malware represents a highly mature threat vector discovered within this active campaign. This multi-stage framework focuses primarily on distributing potentially unwanted software applications. To hide its operations, the binary embeds a legitimate compression utility directly into its code footprint. If the server-side gating fails to pass, the application simply runs a normal installation window. The report highlights the technical complexity of this strategy:

“SessionGate case drew our attention not only because of its multi-stage delivery chain and extensive validation logic, but also due to a rather unusual anti-analysis approach.”

Meanwhile, other redirect chains drop a dedicated data harvester known as RemusStealer. This particular malware family explicitly targets sensitive configuration details stored across dozens of web browsers. Specifically, it searches local directories for saved account credentials, cookies, and digital identity profiles. Furthermore, it targets hundreds of individual browser extensions, with a heavy emphasis on cryptocurrency wallets and password managers. Therefore, a single compromised download can instantly drain an entire corporate infrastructure.

Ultimately, this aggressive campaign demonstrates that modern eCrime groups are targeting high-value technical users. Because traditional design aesthetics can be copied easily, visual cues no longer guarantee software safety. Security teams must avoid relying on simple search rankings to find official download targets. Instead, organizations should enforce strict application allowlisting to protect local engineering stations. By monitoring unusual background network connections, defenders can successfully block these hidden redirection networks before they execute.