Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS

Malicious actors are impersonating legitimate open-source and freeware project portals and leveraging SEO poisoning and click-interception to funnel users into a CloudFront-hosted JavaScript staging layer that hands off to a gated Traffic Distribution System (TDS). The TDS implements anti-bot/anti-analysis checks and selectively delivers multi-stage payloads — notably the SessionGate obfuscated loader, Remus Stealer (infostealer), and AnimateClipper (cryptocurrency clipper) — with evidence of active distribution since January 2026 and several thousand related VirusTotal submissions from multiple countries.