- Check Point Research uncovers a PR-style campaign distributing a Rust clipboard hijacker disguised as legitimate software
- Attackers used phishing websites, GitHub/SourceForge projects, fake YouTube channels, and even press releases from news outlets to boost credibility
- Malware Swap Crypto Wallet Addresses From Clipboard With “Ghost Networks” That Manipulate Reputation Systems To Avoid Detection
Hackers have launched a full-blown, multi-platform PR campaign to trick people into thinking the malware they’re distributing is actually legitimate software, experts have warned.
A report by Check Point Research warned that even those who do regular due diligence can be duped.
At the center of the campaign is a clipboard jacker – a piece of infostealer malware that monitors the victim’s clipboard for cryptocurrency wallet strings. When it detects one, it replaces it with another belonging to the attackers. That way, when a victim tries to send money from one wallet to another, they end up paying the attackers instead. Both Windows and macOS users are at risk.
Abusing news websites
“The threat actor uses multiple channels to promote and distribute a Rust clipboard hijacker, starting with a dedicated phishing site as the central hub and extending to GitHub and SourceForge projects promoted by fake accounts,” the company said.
“A dedicated YouTube channel using AI-generated narrators, suspicious view spikes, and highly positive (probably coordinated) comments further reinforces the illusion of popularity and credibility.”
To distribute the malware, the attackers ran a pretty aggressive PR campaign: they created a dedicated phishing page, multiple GitHub and SourceForge projects and accounts, and a fake YouTube channel. But the most surprising part is distributing news articles through news websites.
Newswire sites are services that distribute company press releases and announcements to media, journalists, websites and investors. Most news services allow anyone to submit and distribute press releases, usually for a fee, but they are generally seen as a legitimate source of reliable news.
At the same time, the hackers went the extra mile to ensure that the clipboard was not flagged as malware. Using numerous fake accounts (so-called “Ghost Networks”), they manipulate reputation-driven systems like VirusTotal, tricking researchers and potential users into thinking the programs are a false positive.
“Although this campaign does not primarily target large enterprises, it shows that attackers no longer rely only on classic malware distribution techniques to reach victims,” the researchers concluded. “Instead, they can manipulate reputation systems, crowd-sourced feedback and cross-platform promotion to reduce suspicion and attract more users.”
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
