Cybercriminals are exploiting SourceForge, a well-known platform for open-source software distribution, to deliver a complex malware campaign targeting cryptocurrency users.

According to a report from cybersecurity firm Kaspersky, the attackers are disguising their malware as legitimate Microsoft Office-related tools under a project named “officepackage.” While the SourceForge listing for this project appears harmless, the real threat lies in a separate domain — officepackage.sourceforge.io — which presents a convincing list of office software downloads that redirect users through a deceptive chain, ultimately delivering malware.‍

A Sophisticated Deception

Unlike the original SourceForge project page, the .io version lures users with multiple download buttons linked to another SourceForge domain, loading.sourceforge.io. Clicking on these buttons initiates a series of redirects, eventually leading to the download of a suspicious archive named vinstaller.zip — notably small in size for any genuine office software.

Inside this archive is a password-protected ZIP file and a readme.txt containing the password. The nested archive (installer.zip) houses an unusually large Windows Installer file (installer.msi), artificially bloated to over 700 MB using junk data to make it seem legitimate.

Once launched, the installer unpacks several files, including a console tool (UnRAR.exe) and another encrypted archive. It then runs a Visual Basic script which initiates a PowerShell command to download a batch file (confvk) from GitHub. This batch file contains the password needed to extract the final payload and executes two PowerShell scripts that begin the system compromise.‍

Clipboard Hijacking and Crypto Mining

The extracted payload includes AutoIt-based scripts hidden inside DLL files (Icon.dll and Kape.dll), a network utility (Netcat), and its dependencies. One script installs a crypto miner, while the other deploys ClipBanker — a known malware family that monitors the system clipboard for cryptocurrency wallet addresses and replaces them with those controlled by the attackers.

This method is particularly dangerous for crypto users, who often copy and paste wallet addresses when making transactions. If compromised, users may unknowingly send funds to the attacker’s wallet.‍

Persistent and Hard to Remove

The malware isn’t just dangerous — it’s also built to last. Once installed, it uses a range of persistence techniques to maintain control of the system. It creates registry entries that mimic legitimate system files, making them difficult to detect. It also installs Windows services designed to launch the malicious scripts automatically every time the system boots up.

Beyond that, it leverages scheduled tasks and event triggers using the Windows Management Instrumentation Command-line (WMIC) — a utility still functional in older Windows versions. One particularly creative method involves exploiting the Windows Setup process: by planting a malicious script in a folder used during system installations, the attackers ensure their malware can be triggered even in system recovery scenarios.

To stay under the radar, the malware checks whether the system is running any antivirus software, security tools, or operating in a virtual environment. If it detects any of these, it quietly deletes itself to avoid analysis or removal.‍

A Growing Trend in Malware Distribution

While using fake office tools as malware delivery vehicles isn't new, the abuse of trusted platforms like SourceForge adds a dangerous twist. By taking advantage of SourceForge’s automatic subdomain feature for projects, attackers make their phishing sites appear legitimate in search engine results.

Kaspersky warns users against downloading software from unofficial sources, especially when applications are offered for free. When software isn’t available through a trusted or verified distributor, the risk of infection increases significantly.