New Malware Campaign Exploits SourceForge Projects to Steal Crypto & Spy on Users

A new malware campaign is targeting users through SourceForge, a trusted site known for hosting open-source software projects.

Researchers from Kaspersky uncovered a scheme where attackers use a fake project to trick people into downloading malicious files disguised as office tools.

The fake project, called “officepackage,” looks harmless on the SourceForge page.  Additionally, it copies its description from a real Microsoft Office add-ons project on GitHub. But the related officepackage.sourceforge.io domain points to a completely different website that lists fake office apps with “Download” buttons.

The researchers explain that the pages are indexed by search engines, so they look legitimate in search results. But instead of useful software, users are led through a confusing maze of download pages that ultimately install malware on their computers.

The downloaded file, named vinstaller.zip, contains hidden tools including a password-protected archive, and a Windows Installer that looks large and legitimate, but is actually stuffed with junk data to fool users. When launched, it runs a script in secret that downloads files from GitHub, extracts malicious components, and starts spying on the device.

One of the hidden scripts sends the victim’s device details to attackers through Telegram. This includes the computer’s IP address, username, antivirus software, and even the CPU name.

The malware does two main things: first, it installs a cryptocurrency miner that quietly uses the computer’s resources to generate digital money for the attackers.

Second, it installs a type of malware called ClipBanker, which waits for users to copy and paste cryptocurrency wallet addresses. When they do, it replaces the wallet address with one owned by the attacker, redirecting funds to them.

The malware uses several methods to stay on the system and automatically restart even after rebooting. It hides in system folders, adds special registry keys, creates fake Windows services, and even hijacks system update tools.

To stay safe, experts strongly advise downloading software only from official sources, as pirated or unofficial downloads always carry a higher risk of infection.