A cryptocurrency-stealing malware campaign has been spreading by faking its own popularity, dressing up booby-trapped "tools" with bogus GitHub stars, inflated download counts and AI-narrated YouTube tutorials.
New analysis from Check Point Research traced the operation to a Rust-based clipboard hijacker, a "clipper" that swaps copied crypto wallet addresses for the attacker's own, built for both Windows and macOS.
The lures are "edge" tools that promise easy money, crypto sniper bots and "predictors" that claim to forecast crash-gambling games, aimed at traders and gamblers chasing shortcuts. A WordPress phishing page acts as the hub, funneling victims to the downloads.
Manufacturing Trust
The campaign stands out for the effort it puts into looking legitimate. Check Point said the actor leaned on "Ghost Networks" of fake accounts to manufacture social proof across several platforms, including:
-
Six or more GitHub accounts, with repositories padded out with fake stars and forks
-
SourceForge projects showing 44,485 downloads, most from Android devices despite no Android build
-
A YouTube channel using AI-generated narrators, fake view spikes and coordinated praise
-
VirusTotal entries carrying planted "safe" votes and comments
The VirusTotal trick is among the most novel. Check Point warned that planted "safe" votes, combined with low antivirus detection rates, can fool reputation-based defenses into clearing the files.
The actor even seeded promotional posts on legitimate news sites, some likely paid, others on what may be compromised outlets.
Read more on clipboard hijackers: New SilabRAT Trojan Hijacks Sessions to Steal Crypto
What the Malware Does
The malware itself is straightforward. Once a victim runs the fake tool, a loader launches the Rust clipper, which copies itself for persistence and runs at startup.
From there, it watches the clipboard for anything resembling a crypto wallet address and, when it spots one, silently swaps it for an attacker wallet drawn from an embedded list of more than 15,500 addresses, most of them Bitcoin.
On macOS, the build adds a social-engineering twist: a bundled "unlocker" script that walks users through stripping Apple's quarantine flag and bypassing Gatekeeper to run the unsigned app.
Both versions dig in for persistence, and the macOS variant runs a 30-second watchdog that rewrites itself and clones the binary to survive manual removal.
Check Point framed the case as a shift in how attackers build trust. Rather than hiding malware, the actor surrounds it with positive signals, so that by the time a victim runs the file, it feels like a normal app.
"These techniques can also be abused by other types of actors distributing and promoting information stealers or other malware families, which can eventually lead to full ransomware compromises in more mature environments," the firm warned.
"In other words, the same playbook of fake reputation and broad promotion can be reused to deliver more damaging payloads over time."