Catenaa, Tuesday, April 15, 2025-Cybersecurity firm Kaspersky has identified a sophisticated malware campaign that steals cryptocurrency by disguising itself as fake Microsoft Office add-ins hosted on SourceForge, a free software hosting platform. The malware, dubbed “officepackage,” mimics legitimate GitHub projects and lures users through convincing search engine listings, Kaspersky reported April 9.
The fraudulent downloads appear as compressed Office extensions, typically around 7MB in size—far smaller than legitimate Office applications. Once downloaded, users are presented with a password-protected archive. Upon extraction, the file size balloons to over 700MB, a tactic known as “pumping,” in which junk data is added to mimic authentic software packages.
Kaspersky confirmed the malware is part of the ClipBanker family, which secretly replaces copied cryptocurrency wallet addresses with the attacker’s own. This stealth method targets users who copy-paste wallet addresses during transactions, leading to funds being transferred to cybercriminals instead.
The malicious software is distributed through pages that appear credible due to search engine optimization and domain-level trust from SourceForge. Kaspersky noted that these tactics exploit users’ willingness to seek free software alternatives from unofficial sources.
In addition to stealing crypto, the malware could allow attackers to sell system access to other cybercriminals, amplifying the threat.
Kaspersky urged users to avoid downloading software from unverified platforms. “Seeking alternative download options always carries higher security risks,” the firm stated.
This discovery underscores a growing trend of crypto-related cyberattacks using deceptive tactics to bypass user defenses.
