- Check Point Research uncovers PR campaign distributing Rust clipboard hijacker disguised as legitimate software
- The attackers used phishing sites, GitHub/SourceForge projects, fake YouTube channels and even press releases to boost their credibility.
- Malware swaps clipboard crypto wallet addresses, with “ghost networks” manipulating reputation systems to evade detection.
Hackers have launched a cross-platform PR campaign to make people believe that the malware they are distributing is actually legitimate software, experts have warned.
A report from Check Point Research warns that even those who regularly do their due diligence could be fooled.
At the center of the campaign is a clipboard hijacker – an infostealer malware that monitors the victim’s clipboard for cryptocurrency wallet chains. When it detects one, it replaces it with another belonging to the attackers. This way, when a victim tries to send money from one wallet to another, they end up paying the attackers. Windows and macOS users are at risk.
Abuse of press sites
“The threat actor uses multiple channels to promote and distribute a Rust clipboard hijacker, starting with a dedicated phishing page as a central platform and expanding to GitHub and SourceForge projects promoted by fake accounts,” the company said.
“A dedicated YouTube channel, using AI-generated narrators, suspicious peak views and very positive comments (probably coordinated), further reinforces the illusion of popularity and trustworthiness.”
To spread the malware, the attackers conducted a rather aggressive PR campaign: they created a dedicated phishing page, several GitHub and SourceForge projects and accounts, as well as a fake YouTube channel. But the most surprising thing is the dissemination of news articles via press sites.
Newswire sites are services that distribute press releases and company announcements to media outlets, journalists, websites and investors. Most news services allow anyone to submit and distribute press releases, usually for a fee, but they are generally considered a legitimate source of trustworthy information.
At the same time, hackers have gone the extra mile to ensure that the clipboard hijacker is not flagged as malware. Using numerous fake accounts (called “ghost networks”), they manipulate reputation-driven systems like VirusTotal, fooling researchers and potential users into believing that the programs are false positives.
“Although this campaign is not primarily aimed at large companies, it shows that attackers no longer rely solely on traditional malware distribution techniques to reach their victims,” the researchers conclude. “Instead, they can manipulate reputation systems, audience feedback, and cross-platform promotion to lessen suspicion and attract more users. »
Via Hacker news
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
