More than 15,500 cryptocurrency wallet addresses are embedded in the malware’s code, most of them Bitcoin — a telling detail of how far the operator went to harvest small, repeated thefts rather than one large, noisy heist.
What the malware is and how it operates
Check Point Research traced the operation to a Rust-based clipboard hijacker — a "clipper" that swaps copied crypto wallet addresses for an attacker-controlled address. The campaign delivers builds for both Windows and macOS. According to Check Point, a loader drops and launches the Rust clipper; the binary copies itself for persistence and configures itself to run at startup.
Once active, the malware watches the clipboard for text that resembles a cryptocurrency wallet address. When it detects one, the clipper silently replaces the victim’s copied address with an attacker wallet pulled from an embedded list of more than 15,500 addresses. The macOS build adds a social-engineering element: it bundles an "unlocker" script that walks users through removing Apple's quarantine flag and bypassing Gatekeeper so the unsigned app can run.
Manufacturing trust: Ghost Networks on GitHub, SourceForge, YouTube and VirusTotal
Rather than hiding the payload, the actor surrounds it with signals intended to look legitimate. Check Point documented what it calls "Ghost Networks" of fake accounts and coordinated content designed to manufacture social proof across multiple platforms:
- Six or more GitHub accounts with repositories padded by fake stars and forks.
- SourceForge projects reporting 44,485 downloads, though most of those counts came from Android devices despite the campaign having no Android build.
- A YouTube channel that uses AI-generated narrators, shows fake view spikes and carries coordinated praise of the tools.
- VirusTotal entries seeded with planted "safe" votes and comments.
Check Point emphasizes that these layers of apparent popularity are not incidental marketing but an intentional playbook: make a booby-trapped tool look like the sort of normal, widely used utility that traders and gamblers might trust.
The VirusTotal twist and the risk to reputation-based defenses
Among the campaign’s techniques, Check Point calls the manipulation of VirusTotal particularly novel and dangerous. The actor planted "safe" votes and comments on VirusTotal entries; combined with currently low antivirus detection rates, these planted signals can cause reputation-based defenses to classify the files as benign. Check Point warns this undermines defenses that rely on crowdsourced reputation and can give victims a false sense of security before they execute malicious binaries.
Persistence and anti-removal behavior on macOS
Both platform builds are designed to persist. The macOS variant not only bundles the social-engineering unlocker but also runs a 30-second watchdog that rewrites the program and clones the binary to survive attempts at manual removal. Those behaviors show the actor prioritized long-term access and resilience over rapid, one-off attacks.
What this means for technologists, end users, and news-site operators
Technologists and security teams: Check Point’s findings point to attacks that exploit reputation signals across repositories, download portals and analysis services. Teams should treat unusually high star/fork counts, sudden download spikes (for example, 44,485 SourceForge downloads with no Android build), or positive VirusTotal votes as data points to verify, not proof of safety.
End users and traders chasing shortcuts: the campaign’s lures — crypto "sniper" bots, predictors for crash-gambling games and promises of easy money — are the exact bait the actor uses. On macOS, the presence of an "unlocker" script that walks users through removing Apple’s quarantine flag and bypassing Gatekeeper is a red flag tied directly to the malware’s delivery method.
News-site operators and publishers: Check Point found promotional posts seeded on legitimate news sites, some likely paid and others possibly the result of compromised outlets. Those channels were used to amplify the false reputation surrounding the tools and can lend dangerous credibility to malicious offerings.
Check Point frames the case as more than a single clipper campaign: it is a playbook. "These techniques can also be abused by other types of actors distributing and promoting information stealers or other malware families, which can eventually lead to full ransomware compromises in more mature environments," the firm warned. "In other words, the same playbook of fake reputation and broad promotion can be reused to deliver more damaging payloads over time."
The campaign is a reminder that attackers are investing in the optics of legitimacy as much as in exploit code: inflate the numbers, populate the praise, and the bait looks routine until the theft happens. Read the original Check Point analysis and reporting here: https://www.infosecurity-magazine.com/news/crypto-clipboard-hijacker-fake/
