A single threat actor is running a sophisticated campaign to distribute a cryptocurrency clipboard hijacker, using the same marketing playbook legitimate brands rely on: fake reviews, inflated download counts, and promoted posts on news sites people trust.
According to Check Point Research, the operation spans multiple platforms. There’s a dedicated WordPress phishing page acting as the hub, GitHub and SourceForge projects promoted by fake accounts, a YouTube channel with over 91,000 subscribers, and coordinated activity on VirusTotal designed to trick the platform’s reputation systems into marking malicious files as safe.
The goal: push a Rust-based crypto clipper disguised as Solana and Pump.fun sniper bots and crash-game predictors. Once installed, the malware monitors the clipboard for cryptocurrency wallet address patterns and swaps them with attacker-controlled addresses from a hard-coded list. It targets both Windows and macOS.
On SourceForge, the download counter hit 44,485 — with a suspicious 37,460 supposedly from Android devices, even though the developer only offers Windows and macOS versions. The likely explanation: an Android farm inflating numbers.
On GitHub, at least six fake accounts cross-promote and distribute the malware, with one repository claiming 146 stars and 62 forks. YouTube videos use AI-generated narrators and coordinated positive comments to build false legitimacy.
Perhaps the most brazen move: the threat actor used a press release distribution service (EIN Presswire) to market the tool’s capabilities. The press release was subsequently syndicated across legitimate news outlets.
The campaign is a reminder that a polished-looking tool with good reviews and a big following doesn’t mean it’s safe. Always verify before downloading, especially when the product promises quick profits in crypto or gaming.
