Crypto Clipper Malware Exploits Fake Reviews and AI Videos on Trusted Platforms

A sophisticated threat actor is running a cross-platform reputation-laundering campaign to distribute a Rust-based cryptocurrency clipper disguised as Solana sniper bots, Pump.fun trading tools, and crash-game predictors, according to researchers at Check Point. The malware continuously monitors the clipboard on both Windows and macOS systems, swapping any detected cryptocurrency wallet address with one pulled from a hardcoded attacker-controlled list, silently redirecting transactions to the threat actor. Cryptocurrency holders and online gamblers hunting for shortcuts to fast profits are the primary targets, drawn in through a carefully manufactured illusion of legitimacy.

The campaign's infrastructure spans a WordPress phishing page serving as the central hub, six GitHub accounts used for cross-promotion, a SourceForge project with an inflated download counter of 44,485 (37,460 suspiciously attributed to Android devices despite no Android build existing), and a YouTube channel with over 91,000 subscribers created in July 2020. Tutorial-style videos feature AI-generated narrators and curated positive comments to reinforce the perception of popularity. To verify whether a downloaded file has been flagged or tampered with, users can run a quick SSL/TLS checker on any associated domains or review the project’s hosting history. The operation also deploys coordinated "Ghost Networks" to upvote and leave glowing comments on VirusTotal scans, aiming to misclassify malicious samples as safe and erode technical suspicion before victims even click download.

The tradecraft borrows directly from legitimate brand-playbook marketing: inflated download counts, coordinated five-star reviews, influencer-style tutorials, and promotion on platforms users instinctively trust. One GitHub repository has accumulated 146 stars and 62 forks, lending surface-level credibility that lowers victim guard. Researchers warn that this synthetic reputation economy is engineered to defeat the exact heuristics security-conscious users rely on, and anyone evaluating third-party software should verify the publisher's identity through a WHOIS lookup and confirm that the source domain was not recently registered. Before installing any crypto-adjacent tooling, run a privacy checkup to ensure your environment is not leaking data through background connections.