A new malware campaign has emerged, targeting cryptocurrency users through a deceptive version of Proxifier, a widely used proxy software. Cybercriminals have set up a GitHub repository that appears to offer a legitimate Proxifier download, but instead, hosts a Trojan designed to monitor and manipulate clipboard activity to steal cryptocurrency funds.
Deceptive GitHub Repository Raises Alarm
The attack begins innocuously, with users searching for “Proxifier” and being directed to a counterfeit GitHub repository via search engine results. This repository is made to look credible, displaying source code for a basic proxy service. However, the download package contains a Trojan-disguised executable, alongside a text file with activation keys, enhancing its appearance of legitimacy.
Researchers from Securelist first identified this campaign in early 2026, noting its activity since 2025. The infection chain is complex, with several stages designed to maintain the malware’s stealth. Over 2,000 Kaspersky users have encountered this threat, predominantly in India and Vietnam.
ClipBanker Targets Cryptocurrency Users
The malware, known as ClipBanker, specifically targets cryptocurrency users by hijacking clipboard operations. When a victim copies a wallet address, the malware substitutes it with an address controlled by the attackers. This threat extends across 26 blockchain networks, including Bitcoin, Ethereum, Solana, and more, allowing cybercriminals broad access to various crypto ecosystems.
The campaign’s efficacy is largely due to its convincing packaging and strategic promotion within search results, luring unsuspecting users to download what they believe to be legitimate software, unaware of the impending risk to their cryptocurrency.
Infection Chain and Evasion Tactics
Upon execution, the malicious installer initiates a series of actions. A small stub file is created in the system’s temp folder, mimicking a genuine Proxifier process. A .NET application is injected to bypass Microsoft Defender detections, ensuring subsequent stages proceed unnoticed.
The legitimate Proxifier installer runs in the foreground to allay user suspicion, while the Trojan operates in the background. It injects malicious code into trusted Windows utilities and executes an obfuscated PowerShell script directly in memory, avoiding detection. Key tasks involve modifying Defender settings and using registry keys to store encoded scripts, which are triggered by scheduled tasks upon user login.
The final payload is downloaded and injected into system processes, enabling ClipBanker to monitor clipboard activity discreetly.
To mitigate such threats, users are advised to download software only from verified sources and maintain robust, up-to-date security solutions. For those without paid security tools, careful verification of download sources is essential to prevent malicious infections.
