Hackers Impersonate Ghidra, dnSpy, and SpiderFoot to Spread Malware

Researchers uncovered a large-scale campaign where threat actors stood up professionally designed fake websites for popular open-source tools (e.g., Ghidra, dnSpy, SpiderFoot) that use click-hijacking and Traffic Distribution Systems (hosted on legitimate CDNs) to filter and redirect victims to malicious payloads. The infrastructure dynamically gates victims by location, OS, browser and other signals to evade researchers, and delivers sophisticated multi-stage malware such as the obfuscated SessionGate loader and the RemusStealer infostealer that targets dozens of browsers, extensions, and cryptocurrency credentials.