Crypto Clipper Campaign Blames Fake Reviews, AI Counters, and VirusTotal Comments
An unknown malicious actor has been spotted using paid or promoted money on legitimate news websites to talk about his warez, according to new findings from Check Point Research.
The threat actor also has a dedicated WordPress phishing page that serves as a central hub, alongside GitHub and SourceForge projects promoted by fake accounts, a YouTube channel, and a collection of accounts that do coordinated work on VirusTotal with the goal of classifying malicious files as safe.
“To push the malicious ‘tool’, one threat actor borrowed the same playbook used by legitimate brands to create buzz: increased download statistics, integrated five-star reviews, influencer-style instructional videos, and promotion on platforms that people naturally trust,” Check Point said in a report shared with Hacker News. “The result is a false impression that affects everything a curious victim might check before clicking ‘download.’
The ultimate goal of the campaign is to push the cryptocurrency clipboard hacker hidden inside Solana and Pump.fun sniper bots and crash game predictions, suggesting that cryptocurrency asset owners and online gamblers in the hunt for shortcuts and quick profits are the targets.
The Rust-based patch targets both Windows and macOS systems, and continuously monitors the clipboard for content such as cryptocurrency address patterns. If a match is found, the malware replaces the wallet address with an attacker-controlled address that has been removed from the hard-coded list, sending the digital asset to them.
Notable for this work is the use of Ghost Networks to poison reputation-driven systems like VirusTotal, which aims to reduce suspicion and increase victims’ trust in malicious files through a combination of high ratings and positive comments.
This behavior also extends to GitHub, where the threat actor uses at least six GitHub accounts to promote and distribute the malware. These advanced features are designed to trick users into a false sense of security and trust. One such repository has 146 stars and 62 forks.
“On SourceForge, the download counter reached 44,485, with 37,460 suspicious ones said to be from Android devices, despite the fact that the developer only offers Windows and macOS versions,” Check Point explained. “A plausible explanation is the use of an Android farm to illegally increase the number of downloads on SourceForge.”
In addition, software solutions are promoted through a dedicated YouTube channel with over 91,000 subscribers. The channel was created in July 2020, with the operators saying it was “for educational purposes only.” Tutorial-style videos feature AI-generated narrators and motivational commentary to reinforce the illusion of popularity and credibility.
Perhaps the most unusual aspect of the campaign is the threat actor’s use of a press release distribution service such as EIN Presswire to market the proposed capabilities of their tools. The press release has since been distributed to all of the service’s partner news websites, most notably the USA TODAY Network.
“Managing sentiment and reputation across crowdsourced platforms marks a significant shift in how attackers build trust,” Check Point said. “The same playbook of fake reputation and cross-platform promotion can easily distribute hackers or ransomware to high-value targets over time.”
