A newly discovered malware campaign is quietly draining cryptocurrency wallets by doing something most security tools never see coming.
Instead of relying on brute-force attacks or dark web exploits, the threat actor behind this campaign built a fake reputation engine across multiple platforms to make dangerous software look completely safe and trustworthy.
The malware at the center of it all is a clipboard hijacker written in Rust, a programming language known for its speed and low-level control.
It runs silently in the background, watches for any cryptocurrency wallet address copied to the clipboard, and swaps it with an address controlled by the attacker.
By the time a victim completes a transfer, the funds go to the wrong wallet with no way to reverse the transaction.
Analysts at Check Point Research said in a report shared with Cyber Security News (CSN) that they identified the full scope of this campaign, noting how the threat actor built an entire ecosystem to deliver and disguise the malware.
The operation targets crypto traders, online gamblers, and anyone searching for shortcuts to quick profits, luring them with fake tools like Solana sniper bots, Aviator Predictors, and crash-game forecasters.
None of these tools work as advertised. They all serve as delivery vehicles for the clipboard hijacker. What makes this campaign stand out is not the malware itself, but the elaborate web of fake credibility surrounding it.
The attacker used a WordPress phishing site as the main hub and pointed victims toward GitHub, SourceForge, and YouTube, all showing inflated engagement from fake accounts.
Combined with low detection rates on security platforms, it created a convincing illusion of legitimacy that even careful users could fall for.
Rust Clipboard Hijacker
The threat actor operates at least six GitHub accounts, including Decryptor-j, crash-predictor1, and roblox-script1, using Ghost Networks to inflate repository stars and forks artificially.
One repository showed 146 stars and 62 forks, all likely generated by coordinated fake accounts.
From GitHub alone, researchers counted over 5,000 downloads, with more than 1,250 tied to the macOS “Aviator Predictor” tool.
SourceForge told a similar story, recording 44,485 total downloads, though most appear suspicious.
A large portion came from Android devices even though only Windows and macOS versions exist, strongly suggesting an Android device farm was used to inflate the download count artificially.
The deception also extended to VirusTotal, where some malware samples received benign votes and “safe” community comments.
Check Point Research noted that this sentiment manipulation, when combined with already low antivirus detection rates, can mislead both users and automated reputation-based detection systems.
The result does not actually make a file safer, but it makes it look that way, and that is enough.
How the Clipboard Hijacker Actually Works
On Windows, victims download a ZIP and run a file like SniperBot_Premium(Free).exe, which is a .NET loader that silently executes a hidden file called silkebin.exe, the actual Rust-built clipboard hijacker.
It installs itself in a startup folder so it launches automatically on every system boot. The malware monitors clipboard changes and checks whether the copied text matches a cryptocurrency address using regular expressions for Bitcoin, Ethereum, Litecoin, Tron, XRP, Monero, Cardano, Dogecoin, and more.
When a match is detected, it silently replaces the address with one pulled from a built-in list of over 15,500 attacker-controlled wallets.
These wallets are rotated frequently, with used addresses swapped for fresh ones after each completed transaction.
On macOS, victims are instructed to run unlocker.command, which strips macOS security warnings and launches the malicious app automatically.
This version installs a LaunchAgent for persistence and includes a self-healing watchdog loop that continuously rewrites its own files, making removal extremely difficult without killing the active process first.
Users are strongly advised to avoid downloading any tool that promises automated trading gains or gambling shortcuts from unofficial sources.
Always verify each wallet address character by character before sending any cryptocurrency, and never trust a file based solely on its GitHub star count, download figures, or VirusTotal community comments.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 5518942d9d21794aaeff41a01b88606a96659fc329b481a2f0946d8163ab4d61 | Clipboard Hijacking Malware |
| SHA-256 | 33c86ecfc324de3af97150bd009aba7925a6ba7a0842e127e94cf351013c0fe6 | Clipboard Hijacking Malware |
| SHA-256 | 7a7ad4ae347a3f99f3773a113d9f70ecfa967100c96e8275bd1df833caee68d1 | Clipboard Hijacking Malware |
| SHA-256 | bad8625087a7b9453c70933c0db32518ff5818e3d83f3a9e78d432a22b383edb | Clipboard Hijacking Malware |
| SHA-256 | c1435847b0c437f91efb07a3a35e4468036322d7acf4ba9e6d363cec0b481241 | Clipboard Hijacking Malware |
| SHA-256 | ef9a915c8e1d484e52b3287c94a58ecd22c07391a87f9c136eabd8397ed01ca2 | Clipboard Hijacking Malware |
| SHA-256 | 5518942d9d21794aaeff41a01b88606a96659fc329b481a2f0946d8163ab4d61 | Clipboard Hijacking Malware |
| SHA-256 | e02e60a23297692637b43ebcd7dbeb63af1e9680c551586a1ce935218e0034be | Clipboard Hijacking Malware |
| SHA-256 | fb8294b12f904dff2ac79b51872be7bf09ab422cde223caaf4762eadf7e0760d | Clipboard Hijacking Malware |
| SHA-256 | a91c09e0eea610dbe5879798f9cf12e3ce51e4e6f0893278bcdf3ebe22c4730b | Clipboard Hijacking Malware |
| SHA-256 | 9c566db1ef9d08ee389d2b8cc1c50c65870096130c8bd2cf41ea14c4075e94c0 | Clipboard Hijacking Malware |
| SHA-256 | f737e99177cc05037ff34cf6e245dd56377dc3db4e2bb46edcf039df650939d6 | .NET Loader |
| SHA-256 | 7a9632bbecc31d02fdd0eab07e2424b3e1c9e9a3f91aac4ef6f708f2befbaa3d | .NET Loader |
| SHA-256 | b71efdebd0ca3563e67edb7ad59358a6b8f013b219ad65033efcf48fd1c86619 | macOS Clipboard Hijacking Malware |
| SHA-256 | 6f12c066a929c96104796c4ecca938754962009ebd9e4ba5329bb940bf331d0a | macOS Loader |
| Crypto Wallet | bc1qr8vgrcvacyea68gk6w0kdzt2xcc93azzhalyjl9 | Attacker BTC Bech32 wallet (macOS) |
| Crypto Wallet | 1JKeTeM7H3P1hj2DYB6vnXWeJ7XgKvXb7D | Attacker BTC Legacy wallet (macOS) |
| Crypto Wallet | 3EBa4JbKY3HJx6KZopR1sV1upEvxm3dwR1 | Attacker BTC P2SH wallet (macOS) |
| Crypto Wallet | 0x22f24a22b6f824E9ef76B05B186c4D0C2Df58d67 | Attacker Ethereum/EVM wallet (macOS) |
| Crypto Wallet | 48SWwQ7QUSSPhHS9zWF9V9TKyK7FZVxDd9LghKbbkkYzB3AbhyKaCozMc26siguA2b6tce6tztCTXCWgyrypBLmW7HRxs6D | Attacker Monero wallet (macOS) |
| Crypto Wallet | bnb1aj96a2f8655rl2hdrzghlagjpe2nm40tp7jq2v | Attacker Binance Chain wallet (macOS) |
| Crypto Wallet | DDrusqzPjEovYyFrtDV8PVZVZDFFvpGAkc | Attacker Dogecoin wallet (macOS) |
| Crypto Wallet | 7UQuwTTbZ9SoMY1E8D3DMyPjFCPCXjED2wcj8uhshyzW | Attacker Solana wallet (macOS) |
| Crypto Wallet | TBFqTqF17fRvSXDh7U8k5mVFxjqkKrWUXm | Attacker TRON wallet (macOS) |
| Crypto Wallet | rfzq3PnZAt6eFKcJ9TXHsAm2c8GuguHUc1 | Attacker XRP wallet (macOS) |
| Telegram Handle | @JoseCmanXD | Threat actor contact handle across phishing site, YouTube, and hacking forums |
| GitHub Account | Decryptor-j | Threat actor GitHub account |
| GitHub Account | crash-predictor1 | Threat actor GitHub account |
| GitHub Account | roblox-script1 | Threat actor GitHub account |
| GitHub Account | hack-scripts | Threat actor GitHub account |
| GitHub Account | stake-mines | Threat actor GitHub account |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
