Cybercriminals are once again exploiting trusted platforms to distribute malware, this time using a fake version of Proxifier hosted on GitHub to spread ClipBanker. The campaign is particularly deceptive, as it disguises itself as a legitimate proxy tool while silently executing a complex, multi-stage infection process in the background.
The attack begins when users search for Proxifier and are directed to a seemingly authentic GitHub repository. The download package appears convincing, complete with an installer and even a file containing activation keys to build trust. However, once executed, the installer does not behave like typical software. Instead of simply installing the application, it prepares the system for compromise.
One of the malware’s first actions is to weaken system defenses. It manipulates Microsoft Defender by adding exclusions, ensuring that its malicious activities go undetected. This is done through hidden PowerShell scripts executed via injected processes, making the activity difficult for users and security tools to notice. At the same time, additional .NET components are injected into other processes to further conceal its presence.
To maintain its cover, the malware eventually launches the real Proxifier installer, giving the user a functioning application. This clever tactic reduces suspicion, as everything appears normal on the surface. Meanwhile, in the background, the attack chain continues. The malware stores encoded scripts in the system registry, creates scheduled tasks, and repeatedly executes hidden PowerShell commands to maintain persistence.
The final stage delivers ClipBanker, a clipboard hijacker designed to intercept cryptocurrency transactions. Written in C++, this malware monitors copied wallet addresses and replaces them with attacker-controlled ones. As a result, users unknowingly send funds to hackers instead of intended recipients. The malware targets a wide range of cryptocurrencies, including Bitcoin, Ethereum, Monero, Solana, and TRON, making it a serious threat to anyone dealing with digital assets.
According to findings from Kaspersky’s Securelist, thousands of infections have already been detected, with a significant number reported in India and Vietnam. Many cases were only discovered after users ran cleanup tools, highlighting how difficult it can be to detect such threats once they are active.
This campaign underscores a growing trend in cyberattacks—leveraging trusted platforms and legitimate-looking tools to trick users into installing malware. It also reinforces the importance of downloading software only from verified sources and being cautious of repositories that appear legitimate but lack proper validation.
Recommended Cyber Technology News:
- WatchGuard, Halo Partner for MSP Security Automation
- Estrella Insurance Strengthens Data Security with 24/7 SOC and Advanced Threat Detection
- Fortreum Acquires Kovr.AI to Boost AI Compliance
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
