Crypto users targeted in SourceForge malware attack via fake Microsoft Office softwares
Cybercriminals are targeting crypto users by exploiting SourceForge, a well-known open-source software platform.
According to security experts at Kaspersky, malicious attackers upload fake Microsoft Office installers packed with hidden malware, including crypto miners and clipboard hijackers, to deceive unsuspecting users.
They noted that while the SourceForge project pages appear legitimate, the danger lies in their auto-generated subdomains. In one instance, Russia’s Yandex search engine indexed a fake domain, leading unsuspecting users to a page filled with counterfeit Office tools and download buttons.
Sample Search Query Results on SourceForge. (Source: SecureList)
Data from Kaspersky indicates that more than 4,600 incidents were recorded in the first quarter of 2025, with 90% of the affected users in Russia.
It was unclear if this attack had led to significant financial losses for crypto users.
The attackIn this attack, the hackers upload weaponized software to SourceForge’s project pages. These pages mimic legitimate Office-related tools, but the installers contain embedded scripts that deliver harmful payloads.
The trap begins with a small archive file named vinstaller.zip, only around 7MB. This is suspicious, as genuine Office software is significantly larger—even when compressed.
However, once the file is unzipped, it balloons into a 700MB installer packed with hidden scripts. These scripts silently fetch additional files from GitHub and scan the system for antivirus tools.
If no protection is detected, the installer loads crypto mining software and a clipbanker Trojan.
According to the blog post:
“ClipBanker is a malware family that replaces cryptocurrency wallet addresses in the clipboard with the attackers’ own. Users of crypto wallets typically copy addresses instead of typing them. If the device is infected with ClipBanker, the victim’s money will end up somewhere entirely unexpected.”
At the same time, one of the scripts sends user information to a Telegram bot, giving the hacker full access to sensitive data.
This campaign highlights how hackers leverage trusted platforms to bypass security systems and spread malware at scale.
The post Crypto users targeted in SourceForge malware attack via fake Microsoft Office softwares appeared first on CryptoSlate.