Cryptocurrency-stealing malware campaigns are spreading by lying about their popularity and disguising themselves as booby-trap “tools” with fake GitHub stars, inflated download numbers, and AI-guided YouTube tutorials.
New analysis from Check Point Research reveals that this operation was carried out by a Rust-based clipboard hijacker. This clipboard hijacker is a “clipper” that swaps the address of a copied cryptocurrency wallet with the attacker’s own address, and is built for both Windows and macOS.
The decoys are “edge” tools that promise easy money, crypto sniper bots, and “predictors” that claim to predict crash gambling games targeted at shortcut-seeking traders and gamblers. A WordPress phishing page acts as a hub, directing victims to download.
Manufacturing outsourcing
This campaign stands out for its focus on appearing legitimate. According to Check Point, the attackers used a “ghost network” of fake accounts to fabricate social proof across several platforms, including:
-
6 or more GitHub accounts with repositories filled with fake stars and forks
-
The SourceForge project showed 44,485 downloads, most of them from Android devices, despite the lack of an Android build
-
YouTube channels use AI-generated narrators, fake view spikes, and tailored praise
-
VirusTotal entries with planted “safe” votes and comments
VirusTotal’s trick is one of the most novel. Check Point warned that planted “secure” votes, combined with low antivirus detection rates, could fool reputation-based defenses and erase files.
The attacker even went so far as to seed legitimate news sites with promotional posts. Some of them were likely paid, and others appeared on news sites that may have been compromised.
Clipboard hijacker details: New SilabRAT Trojan hijacks sessions and steals cryptography
Malware behavior
The malware itself is simple. When a victim runs the fake tool, the loader launches the Rust clipper, copies itself for persistence, and runs it on startup.
From there, it monitors the clipboard for anything resembling a cryptocurrency wallet address and silently swaps it with the attacker’s wallet extracted from an embedded list of over 15,500 addresses, most of them Bitcoin.
On macOS, this build adds a social engineering twist. A bundled “unlock” script walks users through the steps to remove Apple’s quarantine flag and bypass gatekeepers to run unsigned apps.
Both versions emphasize persistence, with the macOS variant running a 30-second watchdog that rewrites itself and clones the binary to survive manual removal.
Check Point framed the incident as a change in the way attackers build trust. Rather than hiding the malware, the attacker surrounds it with positive signals so that by the time the victim runs the file, it feels like a regular app.
“These techniques can also be exploited by information thieves and other types of attackers distributing and promoting other malware families, and in more mature environments could ultimately lead to a full-blown ransomware breach,” the company warns.
“In other words, the same strategy of false reputation and widespread promotion can be reused to deliver more harmful payloads over time.”
