A campaign that used paid or promoted posts on legitimate news websites, fake accounts and other trusted platforms to promote a cryptocurrency clipboard hijacker has been uncovered by a technical analysis from Check Point Research, which said the activity involved GitHub, SourceForge, YouTube and VirusTotal.
KEY FACTS
- Target The malware replaces cryptocurrency wallet addresses copied to the clipboard with attacker-controlled addresses.
- Platforms The campaign used GitHub, SourceForge, YouTube, VirusTotal and a WordPress phishing page.
- Scope One GitHub repository had 146 stars and 62 forks, while SourceForge showed 44,485 downloads.
- Distribution The software was also marketed through a press release service and syndication across partner news sites.
The malware is a Rust-based clipper that runs on Windows and macOS systems and watches the clipboard for cryptocurrency wallet address patterns. When it finds a match, it swaps in an address from a hard-coded list so digital assets are sent to the attacker instead.
The report said the software was concealed inside Solana and Pump.fun sniper bots and crash-game predictors, suggesting that cryptocurrency holders and online gamblers were the intended audience. It also said the threat actor operated at least six GitHub accounts to cross-promote the files and used coordinated activity on VirusTotal to make malicious samples appear safe.
On SourceForge, the download counter showed a large share of installs supposedly from Android devices, even though only Windows and macOS versions were offered. The report said that pattern may indicate artificial inflation through an Android device farm.
The same promotion effort extended to a YouTube channel with more than 91,000 subscribers, where tutorial-style videos used AI-generated narrators and upbeat comments to build trust. A press release distributed through EIN Presswire was later syndicated across partner news websites, including outlets in the USA TODAY Network.
WHY IT MATTERS
The findings show how attackers can use fake popularity, positive reviews and trusted distribution channels to reduce suspicion before a victim downloads a file. The same approach could be used to spread information stealers or ransomware to higher-value targets later.