Malware Targets Clipboard to Swap Wallet Addresses
Cybersecurity firm Kaspersky has flagged a malware campaign using Microsoft Office Add-In disguises on SourceForge to spread a program known as ClipBanker, which replaces copied wallet addresses with those belonging to the attacker.
This malware is primarily written in Russian, though the download page is in English, suggesting a broader global threat. Users are lured into downloading the software via alternative links that appear to lead to SourceForge but are controlled by attackers.
How ClipBanker Operates
Once installed, ClipBanker silently monitors a user’s clipboard. When a crypto wallet address is copied, the software replaces it with the attacker’s address. Since most users copy-paste rather than manually entering addresses, the change often goes unnoticed until funds are sent.
Researchers note the malware is just 7MB within a 700MB fake installer and emphasize that this approach could evolve into even more dangerous system intrusions.
Thousands of Users Impacted Already
Between January and March, over 4,600 Russian users encountered this malware. While crypto mining is part of the attack, researchers warn that infected devices could be resold to more malicious actors, increasing the threat landscape.
Kaspersky urges users to download software only from official sources and warns that even sites like SourceForge, while legitimate, can be misused through deceptive download links.
