According to researchers at Kaspersky, the scheme specifically targets crypto users by disguising malware as office-related downloads — complete with bloated installers, password-protected archives, and layers of obfuscation that eventually deliver a crypto miner and a ClipBanker to hijack crypto transactions.
In a blog post on Tuesday, April 8, researchers said the attackers set up a fake project on SourceForge called “officepackage,” made to look like Microsoft Office add-ins copied from GitHub. While the project page itself might look normal, the real trap was its auto-generated subdomain “officepackage.sourceforge.io,” the researchers noted.