EXECUTIVE SUMMARY
A financially motivated threat actor is operating a clipboard hijacking campaign that targets cryptocurrency holders and online gamblers seeking automated trading tools. The group disguises its Rust‐based malware as "sniper bots" and "predictors" and distributes it through a phishing landing page that mimics legitimate software repositories. Promotion relies on fabricated stars, forks and video views to create a false reputation, luring victims worldwide, with download spikes observed in South Asia and the Middle East. The primary objective is to intercept wallet addresses copied to the clipboard and replace them with attacker‐controlled accounts, generating illicit crypto gains.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A financially motivated threat actor is operating a clipboard hijacking campaign that targets cryptocurrency holders and online gamblers seeking automated trading tools. The group disguises its Rust‐based malware as "sniper bots" and "predictors" and distributes it through a phishing landing page that mimics legitimate software repositories. Promotion relies on fabricated stars, forks and video views to create a false reputation, luring victims worldwide, with download spikes observed in South Asia and the Middle East. The primary objective is to intercept wallet addresses copied to the clipboard and replace them with attacker‐controlled accounts, generating illicit crypto gains.[emaillocker id="1283"]
The infection begins when a victim follows a link from a social media post or forum discussion to the counterfeit download page. The page serves a Rust binary that silently installs a service on Windows or macOS hosts. Once active, the program establishes persistence by registering itself with system startup routines and monitors the clipboard for strings that resemble cryptocurrency wallet identifiers. Upon detection, it overwrites the address with one from a hard‐coded list and forwards the original value to a remote server, allowing the actors to cash out.
Control is retained through beaconing and updates delivered via the same channel. The campaign matters because it extracts value directly from users' crypto wallets without requiring ransomware or credential theft, making financial loss immediate and hard to reverse. Manipulated reputation signals allow the binaries to slip past many traditional antivirus solutions, while the low‐profile clipboard monitoring evades typical network alerts. Organizations should enforce strict download controls, educate staff about unsolicited crypto tools, and deploy endpoint solutions that can detect unusual clipboard modifications. Regular backups of wallet keys, network segmentation for trading applications, and continuous monitoring for outbound beacon traffic further reduce exposure and improve incident response readiness.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Resource Development | T1588.002 | Obtain Capabilities | Tool |
| Resource Development | T1588.001 | Obtain Capabilities | Malware |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Persistence | T1547 | Boot or Logon Autostart Execution | — |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Collection | T1115 | Clipboard Data | — |
REFERENCES:
reports contain further technical details:
https://cybersecuritynews.com/rust-clipboard-hijacker-uses-fake-github-stars/
https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker/