Watch out, these fake Microsoft Office add-ons are loaded with malware

Cybercriminals are once again exploiting trusted platforms to spread malware. This time, they leveraged SourceForge, a well-known site for open-source software, to distribute a malicious fake Microsoft Office add-on project. Although the attack was stopped swiftly, thousands of devices were already compromised before detection.

A deceptive Office project on SourceForge

Researchers from Kaspersky uncovered a campaign where attackers uploaded a fake project named officepackage to SourceForge. It posed as a Microsoft Office development tool, mirroring the legitimate Office-Addin-Scripts found on GitHub. The files included in the project appeared genuine but functioned as malware droppers.

Malware aimed at mining crypto and stealing clipboard data

The payload included a cryptocurrency miner and a clipboard jacker, designed to exploit infected devices. The clipboard jacker monitors copied crypto wallet addresses and silently replaces them with the attackers’ own. Meanwhile, the miner uses the system’s resources to generate digital coins, draining performance and potentially increasing energy costs.

SourceForge responds quickly to contain the threat

SourceForge reacted promptly, removing the malicious project as soon as it was flagged. The platform insists that no core system was breached, and all files on the main website undergo regular malware scans. Additional safeguards have been introduced to prevent project sites from linking to suspicious external content or performing stealthy redirects.

Over 4,600 systems infected before takedown

Before the project was removed, more than 4,600 systems had already been infected, most of them located in Russia. This incident highlights the growing sophistication of malware distribution tactics and the importance of verifying the origin and authenticity of downloads, even from trusted platforms.