Crypto Clippers weaponizing VirusTotal: The new SEO Malware?
Just caught wind of this report regarding a crypto clipper operation that is leveling up their social engineering game. We aren't just talking about emails anymore; they are using paid news articles, AI-generated YouTube content, and—get this—fake 'clean' comments on VirusTotal to convince victims their tools are legitimate.
According to the findings, the threat actor is using a WordPress phishing hub to drive traffic to GitHub and SourceForge repositories. The goal is standard clipboard hijacking—swapping out wallet addresses during copy/paste operations—but the delivery mechanism is sophisticated.
If you're monitoring endpoints, keep an eye out for persistent binaries calling user32.dll clipboard functions. These often don't trigger standard AV because they look like utilities. Here is a basic YARA rule to help catch generic clipboard monitoring behavior in your SIEM or sandbox:
yara rule Clipper_Generic { strings: $clip_func1 = "GetClipboardData" wide $clip_func2 = "SetClipboardData" wide $clip_m wide $crypto_pattern = /(bc1q|0x)[a-zA-Z0-9]{20,}/ condition: uint16(0) == 0x5A4D and 2 of ($clip_func*) and $crypto_pattern }
What’s everyone’s take on screening GitHub/SourceForge binaries in a corporate environment? Are we blocking these domains entirely or relying on sandbox detonation?
Great Yara snippet. I'd add a check for IsClipboardFormatAvailable as well, as we've seen newer variants polling the clipboard before attempting the swap to stay stealthier.
On the social engineering side, the use of paid news posts is a huge pivot. It effectively bypasses email gateways because the traffic comes from a trusted referrer. SOC teams need to start looking at Referer headers in proxy logs, not just just the domain reputation of the final destination.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access