Crypto users targeted in SourceForge malware attack via fake Microsoft Office softwares

Cybercriminals are targeting crypto users by exploiting SourceForge, a well-known open-source bundle platform.

According to information experts astatine Kaspersky, malicious attackers upload fake Microsoft Office installers packed with hidden malware, including crypto miners and clipboard hijackers, to deceive unsuspecting users.

They noted that portion the SourceForge task pages look legitimate, the information lies successful their auto-generated subdomains. In 1 instance, Russia’s Yandex hunt motor indexed a fake domain, starring unsuspecting users to a leafage filled with counterfeit Office tools and download buttons.

Sample Search Query Results connected SourceForge. (Source: SecureList)

Data from Kaspersky indicates that much than 4,600 incidents were recorded successful the archetypal 4th of 2025, with 90% of the affected users successful Russia.

It was unclear if this onslaught had led to important fiscal losses for crypto users.

The attack

In this attack, the hackers upload weaponized bundle to SourceForge’s task pages. These pages mimic morganatic Office-related tools, but the installers incorporate embedded scripts that present harmful payloads.

The trap begins with a tiny archive record named vinstaller.zip, lone astir 7MB. This is suspicious, arsenic genuine Office bundle is importantly larger—even erstwhile compressed.

However, erstwhile the record is unzipped, it balloons into a 700MB installer packed with hidden scripts. These scripts silently fetch further files from GitHub and scan the strategy for antivirus tools.

If nary extortion is detected, the installer loads crypto mining bundle and a clipbanker Trojan.

According to the blog post:

“ClipBanker is simply a malware household that replaces cryptocurrency wallet addresses successful the clipboard with the attackers’ own. Users of crypto wallets typically transcript addresses alternatively of typing them. If the instrumentality is infected with ClipBanker, the victim’s wealth volition extremity up determination wholly unexpected.”

At the aforesaid time, 1 of the scripts sends idiosyncratic accusation to a Telegram bot, giving the hacker afloat entree to delicate data.

This run highlights however hackers leverage trusted platforms to bypass information systems and spread malware astatine scale.

The station Crypto users targeted successful SourceForge malware onslaught via fake Microsoft Office softwares appeared archetypal connected CryptoSlate.