Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem

Check Point Research analyzed a large-scale campaign of professionally crafted impersonation websites for open-source and freeware projects that intercept first-click downloads and funnel victims into a gated Traffic Distribution System (TDS). The TDS performs anti-analysis and filtering before routing select victims to downstream payloads — notably a multi-stage, heavily gated loader (SessionGate), the RemusStealer infostealer, and an AnimateClipper crypto-clipper — with per-session keys, server-side gating, and monetization-driven distribution; the report includes technical workflow diagrams, detailed module behavior, and extensive IOCs.