KMSAuto-disguised clipper malware distribution
Malware Activity
Summary
Hide ▲
Show ▼
The KMSAuto-disguised clipper malware spread through 2.8 million copies worldwide, silently replacing cryptocurrency wallet addresses and driving theft from virtual-asset users. It scanned clipboard contents for crypto addresses and swapped in attacker-controlled destinations. The activity affected users tied to 3,100 virtual asset addresses and drove about 8,400 transactions. The malware ran from April 2020 to January 2023 and allegedly produced KRW 1.7 billion ($1.2 million) in losses.
Related Happenings
SHub Reaper macOS infostealer variant
Malware Activity
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
Sefirah infostealer delivered through a malicious Hugging Face repository
Malware Activity
First: 09.05.2026 17:26
Last: 09.05.2026 17:26
Sources 1
About this happening:
A malicious **Hugging Face** repository impersonated **OpenAI’s Privacy Filter** and delivered **sefirah**, a **Rust-based infostealer**, to **Windows** users, creating credential...
Sefirah infostealer delivered through a malicious Hugging Face repository
Malware ActivityAbout this happening: A malicious **Hugging Face** repository impersonated **OpenAI’s Privacy Filter** and delivered **sefirah**, a **Rust-based infostealer**, to **Windows** users, creating credential...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
VENON Rust-based banking malware targeting Brazilian Windows users
Malware Activity
First: 12.03.2026 19:31
Last: 12.03.2026 19:31
Sources 1
About this happening:
Researchers disclosed **VENON**, a new **Rust-based banking malware** aimed at **Brazilian Windows users**, raising the risk of **credential theft** through fake banking overlays....
VENON Rust-based banking malware targeting Brazilian Windows users
Malware ActivityAbout this happening: Researchers disclosed **VENON**, a new **Rust-based banking malware** aimed at **Brazilian Windows users**, raising the risk of **credential theft** through fake banking overlays....
OpenClaw fake installer GitHub campaign promoted by Bing AI
Campaign
First: 06.03.2026 00:37
Last: 06.03.2026 00:37
Sources 1
About this happening:
A **last month** campaign used **fake OpenClaw installers** on **GitHub** and **Bing AI**-promoted search results to push **malware loaders** and **infostealers** to people trying...
OpenClaw fake installer GitHub campaign promoted by Bing AI
CampaignAbout this happening: A **last month** campaign used **fake OpenClaw installers** on **GitHub** and **Bing AI**-promoted search results to push **malware loaders** and **infostealers** to people trying...
Latest development: 09.03.2026 20:31
A malicious npm package named @openclaw-ai/openclawai, uploaded on March 3, 2026, masquerades as an OpenClaw installer and uses a postinstall hook to launch scripts/setup.js, display a fake CLI and iCloud Keychain prompt, and fetch a second-stage payload from trackpipe[.]dev. The chain installs a persistent RAT internally identified as GhostLoader and steals macOS Keychain data, browser credentials, crypto wallets, SSH keys, Apple Notes, iMessage history, Safari history, and Mail data before exfiltrating a tar.gz archive through the C2 server, Telegram Bot API, and GoFile.io.
Timeline
-
29.12.2025 21:25 2 articles · 4mo ago
South Korean police disclose KMSAuto clipper malware arrest
Initial DisclosureSouth Korean police said a 29-year-old Lithuanian national was arrested in South Korea after an Interpol-coordinated extradition from Georgia for allegedly distributing KMSAuto-disguised clipper malware that scanned clipboard contents for cryptocurrency addresses and replaced them with attacker-controlled destinations; investigators said the campaign ran from April 2020 to January 2023, spread 2.8 million copies worldwide, and led to about KRW 1.7 billion ($1.2 million) stolen in 8,400 transactions from users of 3,100 virtual asset addresses, with a December 2024 raid in Lithuania yielding 22 seized items and incriminating evidence.
Show sources
- Hacker arrested for KMSAuto malware campaign with 2.8 million downloads — www.bleepingcomputer.com — 29.12.2025 21:25
- Hacker arrested for KMSAuto malware campaign with 2.8 million downloads — www.bleepingcomputer.com — 29.12.2025 21:25