"To push a malicious 'tool,' a single threat actor borrowed the same playbook legitimate brands use to build buzz: inflated download counts, coordinated five-star reviews, influencer-style tutorial videos, and promotion on platforms people instinctively trust," Check Point Research wrote.
Check Point Research's reconstruction of the campaign
Check Point Research reports an unknown threat actor running a multi-platform, cross-promotional campaign designed to manufacture credibility for a malicious crypto "tool." The operator uses paid or promoted posts on legitimate news websites, a dedicated WordPress phishing page as a central hub, multiple GitHub and SourceForge projects, a YouTube channel, and coordinated activity on VirusTotal to create the appearance of a trusted application.
How the clipper and its delivery packaging work
The end product being promoted is a Rust-based cryptocurrency clipboard hijacker that targets Windows and macOS. The malware continuously monitors the clipboard for content that matches a cryptocurrency wallet address pattern; when it detects a match the clipper substitutes the victim’s wallet address with an attacker-controlled address pulled from a hard-coded list, routing funds to the operator. Check Point says the clipper is being concealed inside applications presented as Solana and Pump.fun sniper bots and crash‑game predictors — tools marketed to cryptocurrency asset holders and online gamblers seeking shortcuts or quick profits.
Ghost Networks, VirusTotal manipulation, and synthetic reputation
One unusual characteristic Check Point highlights is the use of what it calls Ghost Networks to "poison reputation-driven systems like VirusTotal." The campaign includes a cluster of accounts that engage in coordinated upvotes and highly positive comments on VirusTotal with the stated intent to misclassify malicious files as safe. The operator’s objective is explicit: reduce suspicion and increase victims’ trust in the malicious files by simulating crowd-sourced approval.
Cross-platform amplification: GitHub, SourceForge, YouTube, and press distribution
Check Point documents extensive cross-platform activity. On SourceForge the download counter reached 44,485, with a suspicious 37,460 of those downloads reportedly originating from Android devices despite the developer only offering Windows and macOS versions — a discrepancy Check Point says could be explained by "the use of an Android farm to artificially inflate the download count on SourceForge." On GitHub the threat actor operates at least six accounts to cross-promote and distribute the malware; one repository cited by Check Point shows 146 stars and 62 forks. The operator also runs a YouTube channel with more than 91,000 subscribers, created in July 2020, that hosts tutorial-style videos featuring AI-generated narrators and reinforcing positive comments while claiming the channel is "strictly for educational purposes only."
Perhaps most notable outside the usual threat-detection playbook, the actor used a press release distribution service, EIN Presswire, to market the tool. That press release was syndicated across the service’s partner news websites, primarily the USA TODAY Network, extending the campaign’s reach into mainstream publishing channels.
What this means for technologists, platforms, and cryptocurrency users
- Technologists and security teams: Expect to see reputation signals — stars, forks, download counts, tutorial views, and positive comments — weaponized as part of social-engineering chains that lead directly to malware installation. Check Point’s findings show those signal sets can be manufactured across multiple platforms to create a consistent, convincing trail.
- Platforms and content hosts (GitHub, SourceForge, video hosts, press distributors): Synthetic amplification and coordinated accounts can create plausible credibility. Hosts that rely on community signals for trust will face pressure to detect cross-platform campaigns that tie together downloads, comments, and external press.
- Cryptocurrency users and online gamblers: Tools advertised as sniper bots or crash-game predictors may be used as delivery vectors for clipboard hijackers. Check Point’s report links the campaign’s targeting and packaging directly to audiences seeking fast crypto gains.
"Manipulating sentiment and reputation across crowd-sourced platforms marks a meaningful shift in how attackers build trust," Check Point said, warning that the same playbook could be repurposed to distribute information stealers or ransomware to higher-value targets over time.
The campaign documented by Check Point blends technical malware delivery with a deliberately engineered reputation economy. The question left by the evidence is not whether attackers will abuse trust signals, but how quickly platforms and users will adjust which signals they accept as proof of legitimacy.
Source: https://thehackernews.com/2026/06/crypto-clipper-campaign-abuses-fake.html
