A cross-platform Rust clipboard hijacker campaign is promoted through a phishing site, fake GitHub/SourceForge engagement, AI-generated YouTube content, VirusTotal sentiment abuse, and posts on news sites and crypto forums. The malware targets Windows and macOS users with wallet-replacing clipboard hijacking while leveraging misleading reputation signals to appear legitimate and trustworthy. #Rust #GitHub #SourceForge #YouTube #VirusTotal #JoseCmanXD #WordPress
Keypoints
- The campaign uses a WordPress phishing page as the central hub to distribute âsolutionsâ such as sniper bots, crash predictors, and Aviator Predictor.
- Fake or coordinated engagement on GitHub, SourceForge, YouTube, and VirusTotal creates false popularity and trust for the malicious tools.
- The actual payload is a Rust-based clipboard hijacker that targets cryptocurrency wallet addresses on both Windows and macOS.
- The Windows version installs persistence, watches the clipboard, and swaps copied wallet addresses with attacker-controlled addresses from a large embedded list.
- The macOS version uses an âunlockerâ script to bypass Gatekeeper checks, then runs a Rust clipper with self-healing persistence via LaunchAgents and watchdog logic.
- Promotional posts on legitimate news sites and crypto forums further legitimize the campaign and expand victim reach.
- VirusTotal upvotes and âsafeâ comments are abused to make malicious samples appear benign and potentially evade reputation-based detection.
MITRE Techniques
- [T1583.001 ] Acquire Infrastructure: Domains â The actor uses a dedicated phishing website as the main distribution hub (âA WordPress phishing site serves as the main landing pageâ).
- [T1587.001 ] Develop Capabilities: Malware â The threat actor develops Rust-based clipboard hijackers for Windows and macOS (âthe actual payloads delivered to victims are Rust-based clipboard hijackersâ).
- [T1204.001 ] User Execution: Malicious Link â Victims are funneled to the phishing page via social media, forums, and Telegram links (âIn most cases, victims are funneled to this site through links shared on social media, crypto forums, and Telegram channelsâ).
- [T1566.002 ] Phishing: Spearphishing Link â The phishing site and linked content are used to lure users into downloading the malicious software (âa dedicated phishing page as the central hubâ).
- [T1012 ] Query Registry â The malware uses Windows and macOS system mechanisms and checks system paths/settings to maintain operation and persistence (âcopies itself to %APPDATA%silkesilke.exeâ and âinstalls a RunAtLoad and KeepAlive LaunchAgent plistâ).
- [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder â The Windows variant creates a shortcut in the Startup folder so it runs at logon (âcreating a shortcut in the Startup folder so it will automatically run at logonâ).
- [T1547.013 ] Boot or Logon Autostart Execution: XDG Autostart / Launch Agents â The macOS variant installs a LaunchAgent for automatic execution on login (âinstalls a RunAtLoad and KeepAlive LaunchAgent plistâ).
- [T1112 ] Modify Registry â On Windows, the sample modifies startup-related persistence to ensure execution (âcreating a shortcut in the Startup folderâ).
- [T1056.001 ] Input Capture: Keylogging â Not directly keylogging, but the clipper captures clipboard input and reacts when wallet text appears (âcontinuously monitors the userâs clipboard for cryptocurrency wallet addressesâ).
- [T1115 ] Clipboard Data â The malware monitors clipboard content and swaps wallet addresses (âreplace the clipboard contents with an attacker-controlled wallet addressâ).
- [T1036 ] Masquerading â The campaign disguises malicious software as legitimate tools and uses fake trust signals (âtools that claim to give users an unfair advantageâ and âappear more popular and trustworthy than they really areâ).
- [T1497.001 ] Virtualization/Sandbox Evasion: System Checks â The macOS unlocker bypasses protective controls before execution (âremove the macOS quarantine attributeâ and âbypass Gatekeeper warningsâ).
- [T1585.001 ] Establish Accounts: Social Media Accounts â The actor uses fake or controlled accounts across platforms (âfake accountsâ, âGhost Networksâ).
- [T1593 ] Search Open Websites/Domains â The actor promotes malware through news websites, forums, and public platforms (âposts on legitimate news websitesâ and âBitcoinTalk.orgâ).
Indicators of Compromise
- [File hashes ] Malicious Windows clipboard hijacker and loader samples â 5518942d9d21794aaeff41a01b88606a96659fc329b481a2f0946d8163ab4d613, f737e99177cc05037ff34cf6e245dd56377dc3db4e2bb46edcf039df650939d6, and 2 more hashes
- [File hashes ] Malicious macOS clipper and loader samples â b71efdebd0ca3563e67edb7ad59358a6b8f013b219ad65033efcf48fd1c86619, 6f12c066a929c96104796c4ecca938754962009ebd9e4ba5329bb940bf331d0a
- [File names ] Delivered Windows and macOS packages â SniperBot_Premium(Free).exe, silkebin.exe, unlocker.command, and !!! READ THIS â RUN UNLOCKER IF APP IS BLOCKED INSIDE THE FOLDER !!
- [User/account handles ] Shared contact and attribution markers across platforms â @JoseCmanXD, Decryptor-j, crash-predictor1, and stake-mines
- [Domains / websites ] Distribution and promotion infrastructure â SourceForge, GitHub, YouTube, VirusTotal, BitcoinTalk.org, and The National Law Review
- [Paths / persistence artifacts ] Windows and macOS persistence locations â %APPDATA%silkesilke.exe, ~/launch.sh, and ~/Library/LaunchAgents/com.example..plist
- [Wallet addresses ] Attacker-controlled replacement wallets embedded in the malware â bc1qr8vgrcvacyea68gk6w0kdzt2xcc93azzhalyjl, 1JKeTeM7H3P1hj2DYB6vnXWeJ7XgKvXb7D, and other embedded wallet strings