Find notable cyber news and cases, enriched with sources, timelines, and signals.

KMSAuto-disguised clipper malware distribution

Malware Activity
First reported
Last updated
Happening score
H score 48
1 unique sources, 1 articles

Summary

Hide ▲

The KMSAuto-disguised clipper malware spread through 2.8 million copies worldwide, silently replacing cryptocurrency wallet addresses and driving theft from virtual-asset users. It scanned clipboard contents for crypto addresses and swapped in attacker-controlled destinations. The activity affected users tied to 3,100 virtual asset addresses and drove about 8,400 transactions. The malware ran from April 2020 to January 2023 and allegedly produced KRW 1.7 billion ($1.2 million) in losses.

Related Happenings

StealC and Amadey infostealer infrastructure disruption

Malware Activity
H score69 First: 24.06.2026 18:25 Last: 24.06.2026 18:25 Sources 1

About this happening: **StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...

Operation Endgame takedown of Amadey and StealC infrastructure

Law Enforcement
H score66 First: 24.06.2026 18:02 Last: 24.06.2026 18:02 Sources 1

About this happening: An **international law-enforcement takedown** under **Operation Endgame** disrupted shared infrastructure used by **Amadey** and **StealC**, with **Microsoft**, **Europol**, and i...

Windows cryptocurrency clipper campaign targeting users via USB LNK worms

Campaign
H score32 First: 18.06.2026 17:30 Last: 18.06.2026 17:30 Sources 1

About this happening: A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...

Rust-based clipboard hijacker that swaps wallet addresses

Malware Activity
H score10 First: 17.06.2026 21:14 Last: 17.06.2026 21:14 Sources 1

About this happening: The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...

Ghost Networks crypto-clipper promotion campaign

Campaign
H score15 First: 17.06.2026 21:14 Last: 17.06.2026 21:14 Sources 1

About this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...

Timeline

  1. 29.12.2025 21:25 2 articles · 6mo ago

    South Korean police disclose KMSAuto clipper malware arrest

    Initial Disclosure

    South Korean police said a 29-year-old Lithuanian national was arrested in South Korea after an Interpol-coordinated extradition from Georgia for allegedly distributing KMSAuto-disguised clipper malware that scanned clipboard contents for cryptocurrency addresses and replaced them with attacker-controlled destinations; investigators said the campaign ran from April 2020 to January 2023, spread 2.8 million copies worldwide, and led to about KRW 1.7 billion ($1.2 million) stolen in 8,400 transactions from users of 3,100 virtual asset addresses, with a December 2024 raid in Lithuania yielding 22 seized items and incriminating evidence.

    Show sources