Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem
Essential information
- Published
- 03/06/2026 19:42
- Modified
- 04/06/2026 09:09
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- animateclipper click hijacking cryptocurrency clipper infostealer remusstealer sessiongate traffic distribution system
- Tags
- 2026-06-03 animateclipper click hijacking cryptocurrency clipper infostealer remusstealer sessiongate traffic distribution system
- Related entities
- 64 indicators, 64 observables, 20 techniques (mitre), 3 malware, 45 others
Description
A large-scale operation impersonates open-source and freeware projects to capture search traffic, targeting tools such as Ghidra, dnSpy, and SpiderFoot. The professionally designed sites load CloudFront-hosted JavaScript that converts download button clicks into handoffs to a Traffic Distribution System (TDS), which enforces strict gating including first-visit state, click confirmation, anti-bot logic, VPN filtering, and frequency capping. The ecosystem appears primarily built for traffic acquisition and monetization using legitimate ad-tech, but downstream redirect chains repeatedly led selected users to malware delivery infrastructure. The observed payloads include SessionGate (a multi-stage loader with heavy obfuscation delivering potentially unwanted applications), RemusStealer (an infostealer targeting over 20 browsers and hundreds of extensions), and AnimateClipper (a cryptocurrency clipper supporting 20+ blockchain ecosystems). Over 5,000 VirusTotal submissions indicate substantial reach across the ...