Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem

MITRE Techniques

• [T1189 ] Drive-by Compromise – Users were funneled through fake download sites that initiated malicious routing after a click (‘the first eligible click may route through the TDS chain’).
• [T1036 ] Masquerading – The operation impersonated legitimate open-source and freeware project portals (‘professionally built open-source and freeware impersonation sites’).
• [T1204.001 ] User Execution: Malicious Link – The attack depended on the victim clicking a seemingly legitimate “Download” button (‘a click on what appears to be a legitimate link or download button’).
• [T1090.002 ] Proxy: External Proxy – A Traffic Distribution System routed victims to different destinations based on rules (‘hand off to a Traffic Distribution System (TDS)’).
• [T1040 ] Network Sniffing – The TDS and malware logic used browser, geography, and session context to filter victims (‘based on factors such as geography, device type, browser fingerprint, or campaign rules’).
• [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – The loader checked services, processes, registry values, and enterprise context to avoid analysis (‘Taken together, these checks ensure that malicious activity is only launched on systems where it is most likely to go undetected’).
• [T1057 ] Process Discovery – The loader enumerated running processes as part of its anti-analysis logic (‘the loader also enumerates running processes’).
• [T1518 ] Software Discovery – The malware checked for security services and installed products (‘The identified service name indicators include…’).
• [T1119 ] Automated Collection – RemusStealer gathered browser, file, registry, clipboard, and screenshot data under server tasking (‘server defines what is collected per run’).
• [T1005 ] Data from Local System – RemusStealer collected local browser databases, profile files, and filesystem artifacts (‘History, Login Data… cookies.sqlite, logins.json’).
• [T1115 ] Clipboard Data – RemusStealer captured clipboard text and later AnimateClipper replaced copied wallet addresses (‘captures CF_UNICODETEXT’).
• [T1027 ] Obfuscated Files or Information – Multiple stages used string encryption, junk code, opaque predicates, and encrypted modules (‘heavy use of obfuscation’, ‘encrypted string blobs’).
• [T1021 ] Remote Services – The loaders contacted remote C2 and CRC endpoints over HTTP/HTTPS to retrieve keys and payloads (‘contacts a dedicated “CRC” C2 endpoint’).
• [T1105 ] Ingress Tool Transfer – Payloads and modules were downloaded from remote infrastructure before execution (‘download payload’, ‘downloaded file is then launched’).
• [T1140 ] Deobfuscate/Decode Files or Information – The malware decrypted configuration, modules, and tasking data before use (‘decode config into key/value table’).
• [T1055 ] Process Injection – The sample used in-memory loading and execution of payloads (‘manual PE mapping’, ‘reflective / manual-map loading’).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – One stage used an obfuscated PowerShell script fetched from a file with a misleading extension (‘heavily obfuscated PowerShell script’).
• [T1218.005 ] System Binary Proxy Execution: Mshta – The ClickFix branch instructed victims to run mshta.exe to fetch remote content (‘run: C:WindowsSysWOW64mshta.exe’).
• [T1547 ] Boot or Logon Autostart Execution – The campaign’s installed components and loaders were designed to execute silently after download (‘silent installation of additional software’).