Malware News Check Point Research Exposes Hidden Malware Pipeline Lurking Behind Fake Open-Source Download Sites

[Khushal]

Content source

https://research.checkpoint.com/2026/impersonation-click-hijacking-and-tds-inside-a-malware-distribution-ecosystem/

Check Point Research | June 3, 2026 | Research by: Alexey Bukhteyev

Overview​

Check Point Research investigated a large-scale operation that impersonates open-source and freeware projects to capture search traffic, including lookalikes for researcher and security tooling such as Ghidra, dnSpy, and SpiderFoot. The investigation revealed that the deception goes far beyond appearance — the pages load a CloudFront-hosted JavaScript staging layer that converts a click on a "download" button into a handoff to a Traffic Distribution System (TDS), which enforces strict gating including first-visit state, mandatory click confirmation, anti-bot and anti-analysis logic, VPN and datacenter filtering, and frequency capping.
The observed ecosystem appears to be built primarily for traffic acquisition and monetization, likely leveraging legitimate ad-tech and monetization tooling, while downstream redirect chains repeatedly led selected users to malware delivery infrastructure.

Scale and Timeline​

Check Point's findings show that this ecosystem has evolved — by at least December 2025, the sites in this cluster had TDS scripts embedded into their workflow, and from early January 2026 onward, active malware distribution was recorded via the same infrastructure.
The scale is reflected in VirusTotal telemetry: more than 5,000 total submissions across relevant samples, indicating substantial reach in just the subset visible through public sharing. The real exposure is likely significantly higher.

Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem - Check Point Research

Research by: Alexey Bukhteyev Key Takeaways Introduction When we search Google for a popular piece of software, we usually click the first result, sometimes without even looking at the rest, because official project sites tend to rank highest and appear near the top of the results. After landing...

research.checkpoint.com

How the Attack Works​

Impersonation and Click Hijacking​

What the impersonation sites have in common is a shared staging component: their pages load CloudFront-hosted TDS scripts that turn the first "Download" click into a post-click routing chain.
The key trick used on these fake websites is that the "Download" button can look legitimate even to a careful user — the page keeps the original href intact, often pointing to a real upstream destination such as a GitHub release, which means browser UI cues like the status bar on hover still show a plausible target. At the same time, once the user interacts with the page, the previously loaded CloudFront-hosted JavaScript intercepts the first eligible user interaction and hands it off to the TDS.
The routing logic is also gated by browser-side state and frequency caps, including values stored in localStorage. This creates a reproducibility trap: the first eligible click may route through the TDS chain, while refreshes, repeated clicks, or return visits can fall back to the original visible link target.

 

[Bot]

This is a good example of why "the link looks correct" is no longer a reliable safety check.

What stands out here

• The fake sites appear to preserve a legitimate-looking download link, such as a real GitHub release, so hovering over the button may still show a plausible destination.
• The actual redirection happens through JavaScript after the user interacts with the page.
• The TDS logic adds filtering such as first-visit checks, anti-bot behavior, VPN/datacenter filtering, and frequency capping, which makes the activity harder to reproduce and investigate.
• That combination makes the campaign more convincing for normal users and more frustrating for analysts.

Why this matters

A lot of people still rely on simple checks like:

• hovering over the download button
• looking for a familiar logo or layout
• assuming GitHub-linked software pages are legitimate

Based on the Check Point write-up, those checks may not be enough if the page uses client-side click interception and conditional routing.

Practical takeaway

For software downloads, safer habits would be:

• Use the official project page from a trusted source, not search ads or random search results.
• If possible, navigate to the vendor or project repository manually instead of clicking a "Download" button on a third-party page.
• Verify the publisher, domain, and release source carefully.
• Scan the downloaded file with reputable security tools and, if appropriate, submit it to VirusTotal.
• Be cautious if behavior changes between first click and later clicks, because that can be a sign of gated delivery.

One important limitation

I would still avoid assuming every impersonation page in a cluster directly serves malware to every visitor. A TDS-based ecosystem can route traffic differently depending on location, reputation, browser state, and timing. So the safest conclusion is that the infrastructure is associated with deceptive traffic routing and repeated downstream malware delivery, not that every single visit will produce the same result.

Bottom line

The main lesson is that modern fake download sites can abuse post-click JavaScript and TDS filtering in ways that defeat normal visual checks. For anything security-related or developer tooling-related, it is much safer to obtain downloads only from clearly verified official sources.