New Rust-Based Clipboard Hijacker Campaign Targets Crypto Users with Fake Legitimacy
A sophisticated malware campaign is siphoning cryptocurrency by exploiting a deceptive trust-building strategy, bypassing traditional security defenses. The attack leverages a Rust-written clipboard hijacker that silently replaces copied wallet addresses with attacker-controlled ones, redirecting funds during transactions.
How the Attack Works
The malware operates in the background, monitoring clipboard activity for cryptocurrency wallet addresses (including Bitcoin, Ethereum, Monero, and others). When detected, it swaps the victim’s intended address with one from a list of over 15,500 attacker-controlled wallets, which are rotated frequently to evade tracking.
- Windows: Victims download a ZIP file (e.g., SniperBot_Premium(Free).exe), which executes a .NET loader that deploys the Rust hijacker (silkebin.exe). The malware installs itself in the startup folder for persistence.
- macOS: Users run unlocker.command, which bypasses security warnings and installs a LaunchAgent with a self-healing watchdog loop, making removal difficult.
The Deception: Fake Trust Signals
Unlike typical malware, this campaign relies on artificially inflated credibility to appear legitimate:
- GitHub & SourceForge: The threat actor operates six fake accounts (e.g., Decryptor-j, crash-predictor1), using Ghost Networks to generate fake stars, forks, and downloads. One repository showed 146 stars and 62 forks, while SourceForge recorded 44,485 downloads many from Android devices despite no Android version existing.
- VirusTotal Manipulation: Some malware samples received false "safe" votes and benign community comments, misleading automated reputation systems.
- YouTube & Phishing Sites: Fake tutorials and a WordPress phishing hub directed victims to malicious downloads, further reinforcing the illusion of legitimacy.
Targets & Delivery Methods
The campaign primarily lures crypto traders, online gamblers, and users seeking quick profits with fake tools, including:
- Solana sniper bots
- Aviator Predictors (macOS-focused, with 1,250+ downloads)
- Crash-game forecasters
None of these tools function as advertised they solely deliver the clipboard hijacker.
Impact & Indicators of Compromise (IoCs)
The malware’s stealth and persistence mechanisms make detection challenging. Key IoCs include:
- SHA-256 hashes of the Rust hijacker, .NET loader, and macOS variants.
- Attacker-controlled wallets for Bitcoin, Ethereum, Monero, and other cryptocurrencies.
- Threat actor accounts: GitHub (Decryptor-j, crash-predictor1), Telegram (@JoseCmanXD).
The campaign highlights how social engineering and fake reputation systems can undermine even cautious users, emphasizing the risks of unverified third-party tools in the crypto space.
Source: https://cybersecuritynews.com/rust-clipboard-hijacker-uses-fake-github-stars/
GitHub TPRM report: https://www.rankiteo.com/company/github
"id": "git1781778547",
"linkid": "github",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': ['Cryptocurrency traders',
'Online gamblers',
'Users seeking quick-profit tools'],
'type': 'Individuals'}],
'attack_vector': ['Malicious downloads',
'Phishing sites',
'Fake GitHub/SoureForge repositories',
'YouTube tutorials'],
'data_breach': {'sensitivity_of_data': 'High (financial assets)',
'type_of_data_compromised': 'Cryptocurrency wallet addresses'},
'description': 'A sophisticated malware campaign is siphoning cryptocurrency '
'by exploiting a deceptive trust-building strategy, bypassing '
'traditional security defenses. The attack leverages a '
'Rust-written clipboard hijacker that silently replaces copied '
'wallet addresses with attacker-controlled ones, redirecting '
'funds during transactions.',
'impact': {'financial_loss': 'Cryptocurrency theft via wallet address '
'replacement',
'operational_impact': 'Persistent malware installation, clipboard '
'monitoring',
'payment_information_risk': 'Cryptocurrency wallet addresses '
'compromised',
'systems_affected': ['Windows', 'macOS']},
'initial_access_broker': {'backdoors_established': ['Startup folder '
'persistence (Windows)',
'LaunchAgent with '
'watchdog loop (macOS)'],
'entry_point': ['Malicious ZIP files',
'Fake .command scripts'],
'high_value_targets': ['Crypto traders',
'Online gamblers']},
'lessons_learned': 'The campaign highlights how social engineering and fake '
'reputation systems can undermine even cautious users, '
'emphasizing the risks of unverified third-party tools in '
'the crypto space.',
'motivation': 'Financial gain',
'post_incident_analysis': {'root_causes': ['Deceptive trust-building via fake '
'GitHub/SoureForge repositories',
'Manipulated VirusTotal reputation',
'Phishing sites and YouTube '
'tutorials']},
'recommendations': ['Avoid downloading unverified tools from third-party '
'sources',
'Verify GitHub/SoureForge repository legitimacy (e.g., '
'stars, forks, downloads)',
'Monitor clipboard activity for unexpected wallet address '
'changes',
'Use hardware wallets or multi-signature wallets for '
'cryptocurrency transactions'],
'references': [{'source': 'Cybersecurity report (unspecified)'}],
'title': 'New Rust-Based Clipboard Hijacker Campaign Targets Crypto Users '
'with Fake Legitimacy',
'type': 'Malware (Clipboard Hijacker)'}