A campaign to spread clipboard hijacker malware uses a sophisticated combination of social media “ghost networks,” VirusTotal vote manipulation, and publications to real new sites to lend legitimacy to its trojanized software, Check Point Research revealed Wednesday.The threat actor advertises fake software offering a competitive edge to crypto traders and players of online gambling games, but Check Point noted its social engineering tactics, particularly targeting VirusTotal, could extend to threats affecting enterprises.“These techniques can also be abused by other types of actors distributing and promoting information stealers or other malware families, which can eventually lead to full ransomware compromises in more mature environments,” the researchers wrote. “In other words, the same playbook of fake reputation and broad promotion can be reused to deliver more damaging payloads over time.”The social-engineering campaign combines a core WordPress-based phishing site, GitHub and SourceForge repos hosting the malware, YouTube channels promoting the malware, VirusTotal upvotes and comments and press releases posted to legitimate news sites. The malware is also distributed via posts on other social media, cryptocurrency forums and Telegram channels.The fake software being advertised mainly include “sniper bots” for Solana and Pump.fun, used to automatically buy new tokens and meme coins, an “Aviator Predictor” to predict the outcome of the popular Aviator betting game, and other predictor tools for “crash-game” online gambling.The attacker extensively uses “ghost networks” of fake accounts to boost views and engagements across social media, including inflated stars and forks on GitHub, fake positive comments and ratings on SourceForge, and fake views and comments on YouTube.The YouTube channel used to promote the software is noted to use an AI-generated narrator while purportedly demonstrating how to use tools such as the Aviator predictor, crash-game predictors and crypto trading bots. These videos have garnered thousands of views, likely through the use of botting and ghost networks, as well as many positive comments claiming the advertised software works well.On VirusTotal, both Windows and macOS samples of the clipboard hijacker have low vendor detection rates and relatively high community scores due to upvotes made by suspected fake accounts. These accounts also leave comments claiming the software is safe to use and attempting to explain away flagged indicators of compromise (IOCs).“When this sentiment manipulation coincides with low antivirus detection rates, reputation-based detection systems may be more likely to misclassify these IOCs as benign, potentially allowing them to bypass security controls,” the Check Point researchers wrote. Check Point Research also discovered a press release linked to the campaign, which may have been originally published to EINPresswire, shared on several legitimate news websites including The National Law Review, Asbury Park Press, Tallahassee Democrat and The Providence Journal. The press release advertises a “hash analysis platform” related to Aviator predictor and crash-game predictor tools promoted by a fake company called Decryptor and linking back to the phishing site.The researchers said these posts may have been made as paid advertisements or through some form of compromise, but noted all of the releases were published on the same date — April 27, 2026 — and most have since been taken down by the news organizations.These public campaigns all tie back to Telegram username JoseCmanXD, who is listed as the main contact on the phishing site and YouTube channel as well as the founder of “Decryptor” in the press release.The clipboard hijacker payload constantly monitors changes to users’ clipboard contents for cryptocurrency wallet addresses and replaces them with the attacker’s wallet addresses to steal crypto transfers. The malware is written in Rust and establishes persistence with a Startup shortcut on Windows machines and a shell script wrapper written to “~launch.sh” along with a LaunchAgent plist with “RunAtLoad” and “KeepAlive” keys on macOS systems.The Windows version replaces wallet addresses with those from a list of more than 15,500 addresses including about 15,000 Bitcoin-related addresses, 500 Ethereum-related addresses and single addresses for other forms of cryptocurrency. The macOS version only includes one wallet address for each form of cryptocurrency. The macOS version also includes a text file titled “!!! READ THIS – RUN UNLOCKER IF APP IS BLOCKED” in the ZIP folder providing instructions for the user to circumvent macOS’s Gatekeeper warnings.The researchers suspect, based on posts to hacker forums made by JoseCmanXD dating back to 2019, that the threat actor has been active for several years developing and promoting cryptocurrency-stealing tools, including a Bitcoin stealer called “CryptoRipper.”“Even if this campaign is not primarily aimed at large enterprises, it shows that attackers no longer rely on classic malware distribution techniques to reach victims. Instead, they can manipulate reputation systems, crowd-sourced feedback, and cross-platform promotion to lower suspicion and attract more users,” Check Point Research concluded.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds