Back to Intelligence

Defending Against TDS-Driven SEO Poisoning: Detecting Fake Open-Source Installers

SA
Security Arsenal Team
June 4, 2026
5 min read

In June 2026, Security Arsenal is tracking a sophisticated surge in "SEO Poisoning" campaigns targeting technical users. Cybercriminals have successfully reverse-engineered search engine algorithms to rank malicious domains—mimicking popular open-source tools and freeware—above legitimate project pages. These sites act as the entry point for a Traffic Distribution System (TDS), funneling victims to payloads delivering the Remus Stealer, AnimateClipper, and the SessionGate framework.

Unlike broad-spectrum phishing, this campaign targets developers, engineers, and power users specifically searching for utilities. The legitimacy of the initial landing page lowers defender guardrails, making traditional email-based filtering ineffective. Once the user downloads the "installer," the TDS routes them to the final payload, leading to immediate credential theft (Remus/SessionGate) or clipboard manipulation (AnimateClipper).

Technical Analysis

The Attack Chain

  1. Initial Access (SEO Poisoning): Users search for legitimate tools (e.g., image converters, network utilities). High-ranking Google results direct them to a fake site replicating the look and feel of the original project.
  2. TDS Redirection: Upon clicking the "Download" button, the request passes through a Traffic Distribution System. This intermediary checks user geolocation, device fingerprint, and security stack presence before deciding whether to deliver benign adware or high-risk malware.
  3. Payload Delivery: The final payload, often masquerading as a .exe or .msi installer, is delivered. In this specific campaign, the payloads include:
    • Remus Stealer: An infostealer targeting browser data (cookies, passwords, autofill) and cryptocurrency wallets.
    • SessionGate: A framework focused on session hijacking, bypassing MFA by stealing active session tokens.
    • AnimateClipper: A clipboard modifier designed to swap cryptocurrency wallet addresses during transactions.

Exploitation Status

  • Active Exploitation: Confirmed active in the wild as of June 2026.
  • Delivery Mechanism: Social Engineering (SEO) + TDS.
  • Platform: Windows-based payloads (primary), though the hosting infrastructure targets all platforms via the web.

Behavioral Indicators

The core danger lies in the execution of unauthorized binaries that mimic trusted software names (e.g., putty.exe, vcruntime.exe) from user-writable directories (Downloads, Desktop, AppData). Furthermore, the malware families involved immediately exhibit aggressive process injection or direct file access to browser credential stores (Login Data, Cookies SQLite databases).

Detection & Response

SIGMA Rules

YAML
---
title: Potential Fake Tool Execution from User Profile
id: 8a2b1c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects execution of binaries with names resembling common open-source tools originating from user profile directories (Downloads/Desktop), a hallmark of fake installers.
references:
  - https://thehackernews.com/2026/06/fake-sites-mimicking-open-source-tools.html
author: Security Arsenal
date: 2026/06/12
tags:
  - attack.initial_access
  - attack.t1566.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\putty.exe'
      - '\vncviewer.exe'
      - '\7zFM.exe'
      - '\notepad++.exe'
      - '\filezilla.exe'
      - '\wireshark.exe'
  selection_path:
    Image|contains:
      - '\Downloads\'
      - '\Desktop\'
      - '\AppData\Roaming\'
      - '\AppData\Local\Temp\'
  condition: all of selection_*
falsepositives:
  - Legitimate portable versions of tools run by administrators
level: high
---
title: Suspicious Access to Browser Credential Files by Non-Browser Process
id: 9b3c2d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects Remus Stealer or SessionGate behavior where a non-browser process attempts to open Chrome or Edge 'Login Data' or 'Cookies' files.
references:
  - https://thehackernews.com/2026/06/fake-sites-mimicking-open-source-tools.html
author: Security Arsenal
date: 2026/06/12
tags:
  - attack.credential_access
  - attack.t1555.003
logsource:
  category: file_access
  product: windows
detection:
  selection_target:
    TargetFilename|contains:
      - '\Google\Chrome\User Data\Default\Login Data'
      - '\Google\Chrome\User Data\Default\Cookies'
      - '\Microsoft\Edge\User Data\Default\Login Data'
      - '\Microsoft\Edge\User Data\Default\Cookies'
  filter_browsers:
    Image|contains:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\opera.exe'
      - '\brave.exe'
  condition: selection_target and not filter_browsers
falsepositives:
  - Legitimate backup software or password managers accessing browser stores
level: critical

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for processes spawned by browsers that resemble TDS redirects or downloaders
// Looks for cmd, powershell, or mshta spawned directly after a browser navigation
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe")
| where ProcessFileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, ProcessFileName, FolderPath
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for executables in User Downloads or Desktop that are unsigned or
-- have invalid signatures, indicative of fake installers.
SELECT 
    FullPath,
    Size,
    Mtime,
    SigState,
    SigSubject,
    SigSigners
FROM glob(globs="C:\Users\*\Downloads\*.exe")
WHERE SigState != "Valid" 
   OR SigSubject NOT CONTAINS "Microsoft" 
   AND SigSubject NOT CONTAINS "Open Source Developer"
-- Add specific known vendor names you trust to the exclusion list

Remediation Script (PowerShell)

PowerShell
<#
.SYNOPSIS
    Scans user profile download directories for executables lacking valid digital signatures.
    Designed to identify potential fake open-source installers from SEO poisoning campaigns.
#>

$RiskPaths = @("$env:USERPROFILE\Downloads", "$env:USERPROFILE\Desktop")
$FoundThreats = @()

foreach ($Path in $RiskPaths) {
    if (Test-Path $Path) {
        Write-Host "Scanning $Path for unsigned executables..." -ForegroundColor Cyan
        
        Get-ChildItem -Path $Path -Filter *.exe -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $sig = Get-AuthenticodeSignature $_.FullName
            
            # Check for invalid signature or no signature
            if ($sig.Status -ne 'Valid') {
                $FoundThreats += [PSCustomObject]@{
                    File = $_.FullName
                    Status = $sig.Status
                    Signer = $sig.SignerCertificate.Subject
                }
            }
        }
    }
}

if ($FoundThreats.Count -gt 0) {
    Write-Host "[ALERT] Potentially malicious unsigned executables found:" -ForegroundColor Red
    $FoundThreats | Format-Table -AutoSize
    # Optional: Quarantine logic here (Move-Item)
} else {
    Write-Host "No unsigned executables found in standard download folders." -ForegroundColor Green
}

Remediation

  1. Immediate Isolation: If a system is identified as infected (e.g., Remus Stealer detected), isolate the endpoint from the network immediately to prevent exfiltration of session tokens and wallet data.
  2. Credential Reset: Assume all credentials saved in browsers on affected machines are compromised. Force a password reset for all accounts accessed via that machine and revoke active sessions (invalidate tokens).
  3. Application Allow-Listing: Enforce strict AppLocker or WDAC policies preventing the execution of binaries from %USERPROFILE%\Downloads, %USERPROFILE%\Desktop, and %AppData%\Local\Temp.
  4. DNS Filtering: Block known TDS domains and categories associated with "parked pages" or "freeware downloads" via your secure web gateway. While domains change rapidly, categorization filtering reduces the attack surface.
  5. User Awareness: Immediately notify engineering and developer teams about this specific SEO poisoning campaign. Instruct them to verify software hashes against official vendor sources (e.g., comparing SHA256 on the official GitHub release vs. the downloaded file).

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemseo-poisoningremus-stealertraffic-distribution-system

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action