Hackers Use SourceForge to Spread Stealthy Crypto Malware

Cybercriminals have hijacked SourceForge to deploy sophisticated cryptocurrency-stealing malware. The hackers are exploiting the platform’s subdomain feature to host fake software downloads that look legitimate enough to fool unsuspecting users. Talk about a wolf in sheep’s clothing.

These digital predators are specifically targeting Russian-speaking users. Their fake projects mimic legitimate Microsoft Office add-ins – complete with professional-looking websites that search engines happily index. Because why would Google be suspicious of content on SourceForge, right?

The infection chain is particularly devious. Users download what they think is legitimate software but instead receive a suspicious archive named “vinstaller.zip.” Inside? A password-protected file and convenient instructions on how to access it. How thoughtful of them to provide step-by-step instructions for getting hacked.

Once executed, the ClipBanker malware gets to work. It monitors clipboards for cryptocurrency wallet addresses and swiftly replaces them with the hackers’ own. Copy and paste a friend’s wallet address? Congrats, you just sent your crypto to some guy in a dark room somewhere.

The malware doesn’t stop there. It scans for antivirus software and self-destructs if detected. It mines cryptocurrency using victims’ resources. It even phones home to its masters via Telegram, sending detailed system information. The attackers have implemented advanced persistence mechanisms by manipulating registry keys and creating custom services to ensure long-term access. Multi-talented little parasite.

The campaign has been wildly successful. Over 4,600 systems were compromised between January and March 2025, primarily in Russia. Security experts found that approximately 90% of victims resided in Russia, confirming the campaign’s geographic targeting strategy. Kaspersky finally caught on and reported the threat.

The security implications are serious. Beyond stealing cryptocurrency, attackers can sell access to compromised systems to other criminals. It’s like a digital flea market for stolen computers.

What makes this attack particularly effective is its abuse of SourceForge’s trusted status. Users expect legitimate software from established platforms. They don’t expect to get robbed. But in today’s digital landscape, even seemingly safe harbors aren’t safe anymore.