Cybercriminals are using the SourceForge platform to distribute malware disguised as official Microsoft Office add-ons, Kaspersky reported. The campaign has already affected more than 4,600 devices, most of them in Russia. The malicious project masqueraded as a legitimate developer tools repository but in reality infected computers with viruses that mine cryptocurrency and hijack clipboard wallet addresses.
How the Infection Scheme Works
A project called officepackage was uploaded to SourceForge and appeared as a clone of the actual Microsoft Office-Addin-Scripts project available on GitHub. Its description and structure matched the original. When users searched for Office extensions via search engines, they landed on the page officepackage.sourceforge.io — a site that looked like a legitimate developer page with “Office Add-ins” and “Download” buttons.
Clicking the link downloaded a ZIP archive containing a file named installer.msi, disguised as an installer. The file size was 700 MB. When launched, it extracted an executable file UnRAR.exe, an archive named 51654.rar, and a VB script that downloads confvk.bat from GitHub.
The malware then checked the runtime environment, antivirus presence, and downloaded a second script, confvz.bat, which established persistence through Windows startup and services.
What the Attackers Gained
The archive contained an AutoIT interpreter (Input.exe), Netcat (reverse shell ShellExperienceHost.exe), and two .dll files — Icon.dll and Kape.dll. One launched a hidden cryptocurrency miner, the other acted as a “clipper” that monitored the user’s clipboard and replaced crypto wallet addresses with those controlled by the attacker.
Additionally, the trojan collected system information and sent it via the Telegram API. This same channel allowed attackers to deliver new malicious modules.
Search Engines as a Traffic Source
Although the project has since been removed from the SourceForge platform, it had already been indexed by Google and other search engines, which became the main traffic source. The distribution occurred through the project page, created using SourceForge’s web hosting feature.
SourceForge President Logan Abbott stated that the malicious files were not hosted directly on the platform’s main site. He added that the incident was not the result of a hack and that the project was removed shortly after detection.
Additional measures are now in place: project owners are no longer allowed to post external file links or redirect to suspicious resources.
StilachiRAT Trojan
Previously, Microsoft identified a trojan named StilachiRAT targeting the theft of cryptocurrency data via Google Chrome. The virus attacks at least 20 crypto wallet browser extensions, including MetaMask, Coinbase Wallet, Trust Wallet, OKX Wallet, Bitget Wallet, and Phantom.
StilachiRAT can:
- analyze the system and active RDP sessions.
- extract wallet configurations and access data.
- intercept saved browser passwords.
- control the infected system via ports 53, 443, and 16000.
- monitor the clipboard for crypto addresses and passwords.
Cybercriminals Disguise Attacks as Legitimate Projects
Kaspersky experts emphasize that the SourceForge campaign is an example of how attackers exploit well-known platforms to legitimize malicious software. While such cases are rare, the open model for publishing projects creates opportunities for abuse. Experts recommend downloading software only from official channels and always scanning files with antivirus software.
This post is for informational purposes only and is not an ad or investment advice. Please do your own research making any decisions.