Hackers Impersonate Ghidra, dnSpy, and SpiderFoot to Spread Malware via Fake Download Sites

Malicious operators have created convincing fake project sites (e.g., ghidralite.com, dnspy.org) that load CloudFront-hosted JavaScript to intercept the first download click and silently redirect victims through a Traffic Distribution System (TDS). The campaign, active since at least Dec 2025, delivers three main payloads—SessionGate (anti-analysis multi-stage loader), RemusStealer (browser and wallet infostealer), and AnimateClipper (clipboard wallet hijacker)—and has over 100 fake sites, extensive IoCs (SHA-256 hashes, domains, URLs, IPs) and evasion techniques designed to frustrate researchers.