Cyble researchers reported a newly identified Linux malware family, ClipXDaemon, that targets X11 desktop sessions by continuously monitoring clipboard contents (about every 200 ms) and covertly replacing copied cryptocurrency wallet addresses with attacker-controlled ones to divert funds. The malware is designed to operate without command-and-control (C2) infrastructure, enabling direct monetization while reducing network-based detection opportunities; it uses standard X11 APIs to connect to the X server and perform clipboard tracking and manipulation.
Infections were observed starting from a loader whose structure resembles the earlier Linux threat ShadowHS, including use of a bincrypter-generated script to decrypt and launch a memory-resident dropper that ultimately executes ClipXDaemon. The malware establishes persistence by appending an execution line (avoiding root privileges, scheduled tasks, or systemd services) and uses double-fork daemonization to evade inspection tools. Reported targeting includes multiple wallet formats—at least Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin (with additional monitoring noted for Ripple and TON in one report)—with wallet patterns and replacement data protected via encryption (including ChaCha20 in the analyzed binary), and the payload was reported as undetected on VirusTotal at the time of analysis.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Cyble researchers publicly reported on ClipXDaemon in March 2026, describing its C2-less design, in-memory loader chain, user-level persistence via shell profile modification, and clipboard monitoring of multiple cryptocurrency address formats. The analysis also noted that the malware exits on Wayland systems and is harder to detect through network-based defenses because it uses no DNS, HTTP, sockets, domains, or IPs.
In early February 2026, researchers observed a multi-stage infection chain delivering ClipXDaemon, a Linux clipboard hijacker aimed at cryptocurrency users on X11 desktop environments. The malware replaced copied wallet addresses with attacker-controlled ones to steal funds during transactions.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.