Fake Ghidra, dnSpy & SpiderFoot Sites Used to Spread Malware

**Malicious cloned download portals distribute malware via a click‑hijacking TDS:** Operators clone legitimate tool websites (e.g., Ghidra, dnSpy, SpiderFoot) and inject CloudFront JavaScript that intercepts the first download click to route victims through a stateful traffic distribution system, resulting in delivery of SessionGate (a sophisticated multi‑stage loader), RemusStealer infostealer, AnimateClipper crypto‑clipper, or PUAs; the report includes numerous IOCs and highlights the need to validate download sources and monitor DNS/script behaviors.