Rust clipboard hijacker

A WordPress phishing site serves as the main landing page, while GitHub and SourceForge projects are used to host and distribute the files.

The victim needs to trigger SniperBot_Premium(Free).exe (or other related name depending on the “solution” promoted). This file is a simple .NET loader which executes the file located in src/config/silkebin.exe.

When it detects a supported address format, it replaces the clipboard contents with an attacker-controlled wallet address taken from an internal list.

To maintain persistence, the malware writes a shell script wrapper to ~/launch.sh and installs a RunAtLoad and KeepAlive LaunchAgent plist at ~/Library/LaunchAgents/com.example..plist , causing launchd to silently re-execute the binary on every login and restart it if it dies.

The sample achieves persistence by copying itself to %APPDATA%\\silke\\silke.exe and creating a shortcut in the Startup folder so it will automatically run at logon.

To maintain persistence, the malware writes a shell script wrapper to ~/launch.sh and installs a RunAtLoad and KeepAlive LaunchAgent plist at ~/Library/LaunchAgents/com.example..plist , causing launchd to silently re-execute the binary on every login and restart it if it dies.

The sample achieves persistence by copying itself to %APPDATA%\\silke\\silke.exe and creating a shortcut in the Startup folder so it will automatically run at logon.

This phishing website promotes a mix of “edge” tools that all promise easy, unfair advantages.

The malware creates a hidden window and registers as a clipboard listener using Windows APIs such as AddClipboardFormatListener , OpenClipboard , GetClipboardData , EmptyClipboard , and SetClipboardData.

When it detects a supported address format, it replaces the clipboard contents with an attacker-controlled wallet address taken from an internal list.

These binaries install persistence, continuously monitor the clipboard for strings that look like cryptocurrency wallet addresses, and replace them with attacker-controlled wallets from large, embedded lists.