A large-scale malware operation has exploited SourceForge, a trusted open-source software repository, to distribute crypto-targeting malware through deceptive office software downloads. Between January and March, over 4,600 devices—primarily in Russia—were compromised. The attack was discovered by Kaspersky , which published detailed findings on April 8. The attackers used SourceForge’s platform tools to create a convincing front for their campaign, establishing a fake project that mimicked Microsoft Office add-ons. Behind its developer-friendly appearance, however, the infrastructure served as a launchpad for malicious software. The operation combined file obfuscation, password protection, and large dummy installers to avoid detection and maintain persistence on infected systems. Over 4,600 devices hit Researchers traced the campaign to a SourceForge-hosted page named “officepackage”, which imitated Microsoft Office extensions lifted from GitHub. Once published, the project automatically received its own subdomain-officepackage.sourceforge.io. That subdomain was then indexed by search engines like Yandex, making it easily discoverable by unsuspecting users searching for office software. When users visited the page, they were met with what appeared to be a legitimate list of downloadable office tools. Clicking the links redirected them several times before delivering a small zip archive. Once unzipped, the archive ballooned into a 700MB installer designed to trick users and evade antivirus scans. Fake installer hides malware The installer contained embedded scripts that downloaded additional payloads from GitHub. These payloads included a cryptocurrency miner and a ClipBanker—malware that hijacks clipboard contents to redirect crypto transactions to attacker-controlled wallets. Before installing the malware, one script checks for the presence of antivirus tools. If none are found, the payload proceeds to deploy support utilities like AutoIt and Netcat. Another script sends device information to a Telegram bot controlled by the threat actors. This information helps attackers determine which infected systems are most valuable or suitable for resale on the dark web. SourceForge used for delivery The use of SourceForge as the initial infection vector gave the campaign an edge in credibility. Known for its role in distributing legitimate open-source software, SourceForge allowed the attackers to bypass many of the red flags typically associated with malicious downloads. The attackers’ use of the site’s built-in project and hosting features meant the malware could masquerade as a trustworthy application without requiring external infrastructure. Kaspersky’s data indicates that 90% of infection attempts came from Russian users. Though the initial payload focuses on crypto theft, researchers warned that compromised devices could be repurposed or sold to other criminal groups for further exploitation. Yandex and GitHub aid spread The campaign’s effectiveness was enhanced by the indexing of the SourceForge subdomain on Yandex, one of Russia’s largest search engines. This increased visibility among potential victims, particularly those searching for productivity software online. The use of GitHub as a secondary hosting location for malware downloads allowed the attackers to maintain and update the payloads with ease. GitHub’s widespread reputation for safety further masked the operation’s malicious intent. Kaspersky has not disclosed the identities behind the campaign, and there is no indication that SourceForge or GitHub were complicit. Both platforms appear to have been exploited through their publicly available features. It remains unclear whether the malicious project has since been removed. The post Hackers use SourceForge to spread crypto malware disguised as Microsoft Office tools appeared first on Invezz
