New Linux Malware ClipXDaemon Hijacks Crypto Wallet Addresses in X11 Sessions
A recently discovered Linux malware, ClipXDaemon, is targeting cryptocurrency users by silently replacing copied wallet addresses with attacker-controlled ones during transactions. Identified by Cyble Research and Intelligence Labs in early February 2026 and detailed on March 5, 2026, the malware exploits the common practice of copy-pasting wallet addresses, redirecting funds to threat actors without the victim’s knowledge.
Unlike traditional malware, ClipXDaemon operates independently, eliminating the need for a command-and-control (C2) server. This makes it harder to detect, as it avoids network-based indicators of compromise. The malware is delivered via a loader using Bincrypter, an open-source shell-script encryption tool available on GitHub. While this technique was previously seen in ShadowHS campaigns, researchers found no direct link between the two threats only shared use of the same public tool.
ClipXDaemon focuses solely on clipboard hijacking within X11 sessions, a widely used Linux windowing system. It monitors clipboard activity and replaces cryptocurrency wallet addresses in real time. Since many users rely on copy-paste for transactions, a single unnoticed alteration can result in funds being sent to the attacker instead of the intended recipient.
The malware’s stealthy, self-contained design poses challenges for defenders, as traditional detection methods often rely on identifying suspicious outbound traffic or C2 communications. Its evolution reflects a broader trend in Linux malware toward targeted, profit-driven attacks that minimize detectable activity.
Security recommendations include transitioning from X11 to Wayland (which ClipXDaemon avoids), monitoring for unusual clipboard polling, and verifying wallet addresses manually before transactions. The threat underscores the persistent risk of clipboard hijacking in cryptocurrency operations, even on less commonly targeted Linux systems.
Source: https://cyberpress.org/clipxdaemon-steals-crypto-transfers/
Cyble cybersecurity rating report: https://www.rankiteo.com/company/cyble-global
"id": "CYB1773131064",
"linkid": "cyble-global",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': 'Cryptocurrency',
'location': 'Global',
'type': 'Individual cryptocurrency users'}],
'attack_vector': 'Clipboard hijacking via malicious loader',
'data_breach': {'sensitivity_of_data': 'High (financial)',
'type_of_data_compromised': 'Cryptocurrency wallet addresses'},
'date_detected': '2026-02-01',
'date_publicly_disclosed': '2026-03-05',
'description': 'A recently discovered Linux malware, ClipXDaemon, is '
'targeting cryptocurrency users by silently replacing copied '
'wallet addresses with attacker-controlled ones during '
'transactions. The malware exploits the common practice of '
'copy-pasting wallet addresses, redirecting funds to threat '
'actors without the victim’s knowledge. It operates '
'independently without a command-and-control (C2) server, '
'making it harder to detect. The malware is delivered via a '
'loader using Bincrypter, an open-source shell-script '
'encryption tool, and focuses solely on clipboard hijacking '
'within X11 sessions.',
'impact': {'financial_loss': 'Funds redirected to attacker-controlled wallets',
'operational_impact': 'Unauthorized fund transfers',
'payment_information_risk': 'Cryptocurrency wallet addresses',
'systems_affected': 'Linux systems using X11'},
'initial_access_broker': {'entry_point': 'Malicious loader using Bincrypter',
'high_value_targets': 'Cryptocurrency users'},
'lessons_learned': 'Clipboard hijacking remains a persistent risk in '
'cryptocurrency operations, even on Linux systems. The '
"malware's self-contained design poses detection "
'challenges, highlighting the need for alternative '
'windowing systems like Wayland and manual verification of '
'wallet addresses.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Adoption of Wayland, '
'enhanced clipboard '
'monitoring, user education '
'on manual verification',
'root_causes': 'Exploitation of X11 clipboard '
'functionality, lack of manual '
'verification of wallet addresses'},
'recommendations': ['Transition from X11 to Wayland',
'Monitor for unusual clipboard polling activity',
'Verify wallet addresses manually before transactions'],
'references': [{'date_accessed': '2026-03-05',
'source': 'Cyble Research and Intelligence Labs'}],
'response': {'enhanced_monitoring': 'Monitor for unusual clipboard activity',
'remediation_measures': 'Transition from X11 to Wayland, monitor '
'for unusual clipboard polling, verify '
'wallet addresses manually',
'third_party_assistance': 'Cyble Research and Intelligence Labs'},
'title': 'ClipXDaemon Linux Malware Hijacks Crypto Wallet Addresses in X11 '
'Sessions',
'type': 'Malware',
'vulnerability_exploited': 'X11 clipboard functionality'}