ctipilot.ch

Home · Live brief · Daily brief 2026-06-10

Check Point: a TDS-gated ecosystem impersonates security tools (Ghidra, dnSpy, ILSpy) to deliver SessionGate, RemusStealer and a clipboard hijacker

notable research discovered 2026-06-10 05:00 UTC single-source

Entities: Check Point

Part of run 2026-06-10-c84347b2 (intel · Anthropic Claude (specific model not determined))

Check Point Research details a malware-distribution operation that impersonates open-source reversing tools using CloudFront-hosted JavaScript to hijack download clicks and route victims through a Traffic Distribution System enforcing geo/device/VPN/frequency filtering before delivering one of three payloads (Check Point Research, 2026-06-03). The payloads are SessionGate (a per-session multi-stage loader with AES-encrypted modules), RemusStealer (targeting 20+ browsers, 220+ wallet extensions, 77 password-manager extensions and 18 2FA tools), and AnimateClipper (a clipboard hijacker with on-chain C2). The targeting is notable for this audience: it goes after security researchers and developers searching for trusted tools, bypassing standard phishing-awareness training (T1566, T1204, T1555, T1111). Hunt for ghidra/dnspy/ilspy download-then-execute chains under browser child processes and clipboard-API access from unexpected processes. [SINGLE-SOURCE] (Check Point primary research).

infostealer phishing cryptocrime global