ClipXDaemon: Autonomous X11 Clipboard Hijacker Delivered via Bincrypter-Based Loader

Cyble identified ClipXDaemon, an autonomous Linux clipboard hijacker that targets X11 sessions to intercept and replace copied cryptocurrency wallet addresses with attacker-controlled addresses, operating entirely without network command-and-control. The threat is delivered via a bincrypter-based encrypted shell loader, stages an in-memory dropper and a persisted ELF under ~/.local/bin, and uses ChaCha20-encrypted regexes, process masquerading, and Wayland avoidance to evade detection. #ClipXDaemon #X11

Keypoints

ClipXDaemon is an autonomous, C2-less Linux clipboard hijacker focused on X11 that monitors the clipboard every ~200ms and replaces matched cryptocurrency addresses with embedded attacker wallets.
Delivery uses a three-stage chain: a bincrypter-obfuscated shell loader (AES-256-CBC + gzip), an in-memory dropper, and an on-disk ELF payload dropped to ~/.local/bin/ for persistence.
Persistence is achieved by appending an execution line to the user’s ~/.profile, enabling user-level autostart without root privileges.
Defense-evasion techniques include explicit Wayland-session avoidance, double-fork daemonization, /proc-based in-memory execution, and process masquerading via prctl(PR_SET_NAME) and argv[0] modification.
Configuration (wallet regexes and replacement addresses) is stored encrypted (ChaCha20 with static key/counter) and decrypted in memory only, while replacement wallets for assets such as Ethereum, Bitcoin, Monero, Dogecoin, Litecoin, and Tron are embedded in the binary.
The campaign demonstrates reuse of public open-source tooling (bincrypter) to stage payloads and illustrates a trend toward autonomous, infrastructure-less financial malware targeting Linux userland.

MITRE Techniques

[T1056.004 ] Clipboard Data – The malware continuously polls and manipulates the X11 CLIPBOARD selection to replace wallet addresses: (‘monitors the clipboard every 200ms and replaces cryptocurrency addresses with attacker-controlled wallets’).
[T1547.001 ] Shell Configuration Modification – Achieves persistence by modifying user shell startup files: (‘appends an execution line to ~/.profile’).
[T1036.005 ] Masquerading: Match Legitimate Name or Location – Camouflages its process as a kernel worker thread and modifies argv[0] to evade casual inspection: (‘prctl(PR_SET_NAME, …), altering its process name to resemble a kernel worker thread — specifically mimicking kworker/0:2-events’).
[T1027 ] Obfuscated Files or Information – Uses encryption/obfuscation to hide payloads and configuration, including bincrypter-derived AES-256-CBC + gzip staging and ChaCha20-encrypted regexes: (‘bincrypter… AES-256-CBC decryption and gzip decompression’ and ‘Encrypted regex is ChaCha20-based, with embedded static keys’).
[T1059.004 ] Unix Shell – Employs a shell-script loader that base64-decodes an embedded payload and executes the decrypted stage directly from memory via /proc/self/fd: (‘wrapper script stores an encrypted payload blob inline, base64-decodes it at runtime… and executes the decrypted stage directly from memory’).

Indicators of Compromise

[SHA-256 ] Sample hashes observed in reporting – 87ab42a2a58479cf17e5ce1b2a2e8f915d539899993848e5db679c218f0e7287 (Bincrypter loader script), 23099eea9c4f85ff62a4f43634d431bbed0bf6b039a3f228b1c047f1c2f0cd11 (Dropper script), and 1 more hash.
[File Path ] Drop location and naming pattern – ~/.local/bin/ (randomized 8–19 character name with numeric suffix) – used for the dropped ELF payload.
[Persistence Artifact ] User startup modification – modification to ~/.profile to append execution line for persistence.
[Wallet Address ] Attacker-controlled replacement addresses embedded in binary – 0x502010513bf2d2B908A3C33DE5B65314831646e7 (Ethereum), 424bEKfpB6C9LkdfNmg61pMEnAitjde8YWFsCP1JXRYhfu4Tp5EdbUBjCYf9kRBYGzWoZqRYMhWfGAm1N5h6wSPg8bSrbB9 (Monero), and 4 more addresses.
[Process Name ] Process masquerading artifacts – processes adopting kernel-thread-like names such as ‘kworker/0:2-events’ while running under a user context (indicator of masquerading).