Fake GitHub and Crypto Bot Promotions Spread Cross-Platform Clipboard Hijacker
A malware campaign has been distributing Rust-based cryptocurrency clipboard hijackers for Windows and macOS by masquerading as crypto trading bots, Solana and Pump.fun sniper bots, Aviator Predictor, and other crash-game predictor tools. Researchers said the operation used a WordPress phishing site as a central hub and boosted credibility through coordinated promotion on GitHub, SourceForge, YouTube, crypto forums, and even posts placed on legitimate news websites, targeting crypto holders, traders, and gamblers seeking quick profits or unfair advantages.
On Windows, a .NET loader deployed a Rust clipper that stored files under %APPDATA%, created Startup shortcut persistence, and swapped copied wallet addresses with attacker-controlled ones from an embedded list of more than 15,500 addresses. On macOS, victims were guided through a loader and an "unlocker" script to bypass Gatekeeper, after which a Rust clipper installed LaunchAgent persistence and a self-healing watchdog. The activity was linked across platforms through the Telegram handle and WordPress author name @JoseCmanXD, while the operators also manipulated VirusTotal community sentiment with benign votes and "safe" comments; attacker-controlled wallets reportedly received multiple transactions, indicating successful theft.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Actor linked to crypto-stealing tools since at least 2019
Check Point-linked reporting said evidence suggests the actor behind the clipper campaign had been active since at least 2019 promoting cryptocurrency-stealing tools, including CryptoRipper. The activity was associated with the Telegram username JoseCmanXD and a fake company called Decryptor.
Check Point Research documents cross-platform crypto clipper campaign
Check Point Research published findings on a malware campaign distributing Rust-based cryptocurrency clipboard hijackers for Windows and macOS disguised as crypto trading bots, sniper bots, and gambling predictor tools. The report says the operation used a WordPress phishing site and reputation manipulation across GitHub, SourceForge, YouTube, crypto forums, legitimate news sites, and VirusTotal comments and votes.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Malware campaign uses VirusTotal manipulation, legitimate news sites to gain reputation | news | SC Media
scworld.com
Open sourceRust Clipboard Hijacker Uses Fake GitHub Stars and VirusTotal Upvotes to Steal Crypto - Cyber Security News
cybersecuritynews.com
Open sourceCrypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments
thehackernews.com
Open sourceFrom Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceFrom Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker - Check Point Research
research.checkpoint.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Crypto clipper malware spreads by USB and uses Tor-backed C2 on Windows
Microsoft disclosed an active Windows cryptocurrency theft campaign that spreads through malicious `.lnk` shortcut files, often delivered via USB devices, and combines worm-like propagation with a script-based clipper and stealer. The malware has been active since February 2026 and uses Windows Script Host, ActiveX, and a bundled Tor client to reach hidden-service command-and-control infrastructure through `localhost:9050`, avoiding conventional installer and IP-based infrastructure. Microsoft said the threat is detected as **Trojan:Win32/CryptoBandits.A** and related **CryptoBandits** signatures. Once installed, the malware monitors the clipboard roughly every 500 milliseconds for **BIP39 seed phrases**, Ethereum keys, Bitcoin WIF keys, and wallet addresses, then replaces copied cryptocurrency addresses with attacker-controlled ones while also stealing screenshots. Microsoft said the operators added persistence through scheduled tasks, Defender exclusions, layered obfuscation, and packaging with **PyArmor** and **PyInstaller**, while also terminating execution if Task Manager is detected. The campaign also supports remote code execution through an `EVAL` command from its C2, effectively giving the operators lightweight backdoor access; defenders were urged to block `.lnk` execution from removable media, restrict script hosts, and hunt for suspicious script activity, clipboard inspection, `curl`-based exfiltration, PowerShell screen capture, and Tor SOCKS5 traffic over `localhost:9050`.
Jun 19, 2026
Fake ChatGPT Site and Piracy Portals Deliver Cross-Platform Stealers and Cryptominers
Threat researchers reported two large malware distribution operations that relied on popular consumer lures rather than software exploits. One campaign used piracy sites offering movies, TV shows, books, and digital library content to push fake plugin or browser update prompts; the downloaded ZIP files abused DLL side-loading, ROP-based decryption, and reflective loading to install a modified `SilentCryptoMiner`, a watchdog, a RAT component, and CPU/GPU miners. The malware gated execution through DNS tunneling and date-generated command-and-control infrastructure, harvested host data, and established persistence with a fake `GoogleUpdateTaskMachineQC` service and repeated UAC elevation attempts, with implicated sites drawing roughly 40 million visits in a single month. A separate operation used `openew[.]app`, a fake ChatGPT download page impersonating OpenAI, to infect both Windows and macOS users with platform-specific malware. Windows visitors received a credential-stealing loader disguised as `Chat_GPT.exe`, built with Inno Setup and Electron and launching PowerShell activity that contacted `188.137.246.189`, while macOS users were served **Atomic Stealer (AMOS)** to steal passwords, browser data, Telegram sessions, and cryptocurrency wallet information. Researchers said the macOS payload also attempted to replace legitimate Ledger and Trezor applications with trojanized versions, underscoring a strong cryptocurrency theft motive and showing how attackers are exploiting AI-brand search traffic and piracy demand to scale malware infections.
May 28, 2026
Cryptocurrency Theft Malware Using Deceptive Executables and PyInstaller Packaging
Threat researchers reported active cryptocurrency-focused malware campaigns that rely on social engineering and deceptive executables to steal funds or wallet-related secrets. One operation observed by CloudSEK targets **Discord** communities tied to gaming, gambling, and crypto streaming, where an actor tracked as **“RedLineCyber”** builds trust and privately shares Windows executables (e.g., `Pro.exe`, `peeek.exe`) pitched as streaming/security tools. After installation, the malware performs **clipboard hijacking**, monitoring for copied wallet addresses and swapping them with attacker-controlled addresses at paste time, enabling theft with minimal user-visible indicators and limited/no obvious command-and-control activity. Separately, Iru researcher **Calvin So** documented **MonetaStealer** on **macOS**, delivered as `Portfolio_Review.exe` but actually an **unsigned Mach-O** binary using a misleading `.exe` extension to exploit the assumption that Windows executables are harmless on Macs. The sample is **Python-based and bundled with PyInstaller**, with core logic hidden in a compressed `portfolio_app.pyc`, and was reported as having **zero detections on VirusTotal** at the time of analysis. MonetaStealer is designed to steal cryptocurrency wallet data along with browser secrets and **Keychain** information, and appears to be early-stage malware with indications of AI-assisted code structure.
Mar 21, 2026