News
Hackers Turn SourceForge into Malware Delivery Vehicle in Cryptocurrency Scheme
A fake Microsoft Office add-in project posted on SourceForge has been caught installing malware that mines and steals cryptocurrency from unsuspecting users, mostly in Russia.
The scheme abused SourceForge’s trusted platform to gain visibility and legitimacy, exposing over 4,600 machines to risk before being shut down.
SourceForge Exploited in Rare Malware Campaign
It’s not every day you hear SourceForge mentioned in a cyberattack. The platform’s been around for years, loved by open-source communities for its transparency and accessibility. But those same features? Yeah, they left the door wide open this time.
Kaspersky says it recently flagged a project masquerading as a Microsoft Office add-in tool—called “officepackage”—that tricked users into downloading malware. The project got indexed by search engines, so anyone Googling “office add-ins” could stumble right into the trap.And that’s exactly what happened.
More than 4,600 systems were compromised. Most of them were in Russia, but that doesn’t mean it couldn’t have spread further. It’s just that the campaign got caught relatively early, before it exploded.
The Bait: A Familiar-Looking Project Page
So how did it work? Simple trick, really. But deadly effective.
The attackers cloned Microsoft’s legitimate GitHub project ‘Office-Addin-Scripts’ and put it on SourceForge under the name “officepackage.” They didn’t just copy the files—they lifted the project description, too. Basically, it looked legit.
Even worse, SourceForge gives every project owner access to a separate hosted webpage under a subdomain. The attackers used “officepackage.sourceforge.io” to build a convincing-looking landing page. It even had those familiar “Download” buttons you’d expect from a tool like this.
Click one of those? You get a zip file with a password-protected archive. Inside that archive: trouble.
Here’s Where Things Go Off the Rails
The payload? An MSI file ballooned to 700MB. That’s not because it needed to be—nope. That’s just a sneaky way to dodge antivirus scans.
Once installed, this oversized file unpacks and runs a whole script chain that eventually downloads batch files from GitHub. Those scripts set up persistence, tweak registry settings, and install several sketchy components. Among them:
-
An AutoIT interpreter
-
A reverse shell tool masquerading as a Windows component
-
Two DLLs: one to mine cryptocurrency, the other to hijack clipboard data
So yeah, it’s not just a one-trick pony.
Clipper and Crypto Miner: The Nasty Duo
This is where the payload starts doing real damage.
One of the DLL files starts mining crypto—using your computer’s power, for someone else’s wallet. You won’t know until your fans start working overtime and your electricity bill jumps.
The second payload is sneakier. It’s called a “clipper.” Basically, it watches your clipboard. If you copy a crypto wallet address—say, to send money—it silently swaps it with the attacker’s address before you hit paste.
And if that wasn’t enough? The whole setup phones home via Telegram’s API. So the attacker gets your system info—and they can send more malicious files whenever they feel like it.
SourceForge Responds: We Shut It Down Fast
The good news? SourceForge pulled the malicious project once they were made aware.
Logan Abbott, SourceForge’s President, told BleepingComputer:
“There were no malicious files hosted on SourceForge… the malicious actor and project in question were removed almost immediately after it was discovered.”
He emphasized that all files on the main SourceForge.net domain are scanned for malware. Still, they’ve tightened things up—project subdomains can no longer link to shady external files or use redirects. That’s new.
Here’s what was particularly dangerous though:
| Element | Details |
|---|---|
| Platform Abused | SourceForge (via subdomain) |
| Malware Payload | Clipper, Crypto Miner, Reverse Shell |
| Infection Chain | MSI → Batch scripts → Registry edits → Persistence |
| Infection Count | Over 4,604 systems (mostly in Russia) |
| Discovery By | Kaspersky |
| SourceForge Status | Project removed, new safeguards in place |
Why This Scare Matters More Than It Seems
This attack wasn’t just another phishing email or shady app. It used a platform many people trust—and trust is hard to earn, easy to lose.
The hackers didn’t break into anything. They didn’t exploit some zero-day vulnerability. They just… signed up and uploaded malware like they were releasing an open-source tool. That’s how low the bar was.
And for users? Searching for a harmless Office add-in turned into a full-blown system compromise.This is a wake-up call.
What Users Can Actually Do to Stay Safer
So yeah, it’s easy to wag the finger and say “just be careful online.” But let’s be real—this stuff’s getting sneakier. Still, there are a few solid tips that go a long way:
-
Don’t download software from random project sites, even if they look legit
-
Prefer official sources—like Microsoft’s GitHub for developer tools
-
Always scan files before opening, even if they’re zipped
-
Keep your antivirus updated. It’s boring advice. But it helps.
-
If a download asks for a password right away… maybe pause and rethink that click
One more thing: If your machine suddenly starts lagging hard, check Task Manager. If something sketchy’s hogging your CPU? Yeah, you might be mining for someone else.
Strategy Stock Crushes Bitcoin Over Five Years — But Is It Built to Last?
The Million Dollar Trading Trap
Does Eating 300 g of Chicken a Week Cause Cancer?
Why Monero Rarely Moonshots While Bitcoin & Altcoins Pump?
Bitcoin vs Monero: Privacy, Fungibility, and the Future
Justin Baldoni Hits Back at Ryan Reynolds, Calling Him a “Co-Conspirator” in Blake Lively Legal Battle
Counterfeit Smartphones Found Preloaded with Advanced Android Malware
Chris Hemsworth Admits He Was “Very Intimidated” Working With Halle Berry
Bitcoin vs. Solana: Which Crypto is the Better Investment in 2025?
