Malware Alert: ClipBanker Targets Cryptocurrency Transactions via Phony GitHub Installers

Post Views: 11

Malicious Proxifier Installer Compromises Systems to Hijack Cryptocurrency Wallets

A sophisticated malware campaign has been discovered, utilizing a fake Proxifier installer on GitHub to spread the ClipBanker malware.

“This multi-stage infection chain compromises systems by weakening Microsoft Defender, running hidden PowerShell scripts, and replacing copied cryptocurrency wallet addresses with attacker-controlled ones.” – According to security researchers.

The Scheme Begins:

The scheme starts when a victim searches for Proxifier and lands on a GitHub repository purporting to offer a legitimate proxy utility. However, the release files contain a trojanized installer, along with a text file containing fake activation keys, making the package appear credible and useful.

Installation Process:

The installer does not merely install software; instead, it prepares the system for further compromise.
The malware’s primary objective is to weaken Microsoft Defender by creating a temporary file, injecting code into it, and using that process to run a hidden PowerShell script that adds antivirus exclusions for temporary files and the installer folder.
To evade detection, the Trojan injects additional .NET components into other processes, making the malicious activity more difficult to identify.
Following this setup, the Trojan executes the genuine Proxifier installer, enabling the user to observe a functional program and reducing suspicion that anything is amiss.

Background Operations:

The malware generates another process, injects a second module, and utilizes it to initiate a system utility with a hidden script.
These scripts are obfuscated but serve to expand Defender exclusions, store encoded PowerShell in the registry, and schedule further malicious code to run at a later time.
A scheduled task subsequently reads the registry value, decodes it, and executes the next stage through PowerShell.

Final Payload:

The final payload is ClipBanker, a clipboard hijacker written in C++ that monitors cryptocurrency wallet addresses and replaces them with attacker-controlled ones.
This malware targets a wide range of blockchain networks, including Bitcoin, Ethereum, Monero, Solana, and TRON, making the campaign particularly hazardous for individuals who copy wallet addresses during trades, payments, or fund transfers.

Detection and Impact:

Security researchers have detected over 2,000 instances of this malware among Kaspersky users since the beginning of 2025.
The majority of cases originated from India and Vietnam.
Many detections were associated with the use of a free cleanup tool, indicating the attackers’ efforts to maintain their presence within compromised systems.