KMSAuto-disguised clipper malware distribution
Malware Activity
Summary
Hide ▲
Show ▼
The KMSAuto-disguised clipper malware spread through 2.8 million copies worldwide, silently replacing cryptocurrency wallet addresses and driving theft from virtual-asset users. It scanned clipboard contents for crypto addresses and swapped in attacker-controlled destinations. The activity affected users tied to 3,100 virtual asset addresses and drove about 8,400 transactions. The malware ran from April 2020 to January 2023 and allegedly produced KRW 1.7 billion ($1.2 million) in losses.
Related Happenings
StealC and Amadey infostealer infrastructure disruption
Malware Activity
H score69
First: 24.06.2026 18:25
Last: 24.06.2026 18:25
Sources 1
About this happening:
**StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...
StealC and Amadey infostealer infrastructure disruption
Malware ActivityAbout this happening: **StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...
Operation Endgame takedown of Amadey and StealC infrastructure
Law Enforcement
H score66
First: 24.06.2026 18:02
Last: 24.06.2026 18:02
Sources 1
About this happening:
An **international law-enforcement takedown** under **Operation Endgame** disrupted shared infrastructure used by **Amadey** and **StealC**, with **Microsoft**, **Europol**, and i...
Operation Endgame takedown of Amadey and StealC infrastructure
Law EnforcementAbout this happening: An **international law-enforcement takedown** under **Operation Endgame** disrupted shared infrastructure used by **Amadey** and **StealC**, with **Microsoft**, **Europol**, and i...
Windows cryptocurrency clipper campaign targeting users via USB LNK worms
Campaign
H score32
First: 18.06.2026 17:30
Last: 18.06.2026 17:30
Sources 1
About this happening:
A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...
Windows cryptocurrency clipper campaign targeting users via USB LNK worms
CampaignAbout this happening: A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...
Rust-based clipboard hijacker that swaps wallet addresses
Malware Activity
H score10
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...
Rust-based clipboard hijacker that swaps wallet addresses
Malware ActivityAbout this happening: The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...
Ghost Networks crypto-clipper promotion campaign
Campaign
H score15
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
**Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Ghost Networks crypto-clipper promotion campaign
CampaignAbout this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Timeline
-
29.12.2025 21:25 2 articles · 6mo ago
South Korean police disclose KMSAuto clipper malware arrest
Initial DisclosureSouth Korean police said a 29-year-old Lithuanian national was arrested in South Korea after an Interpol-coordinated extradition from Georgia for allegedly distributing KMSAuto-disguised clipper malware that scanned clipboard contents for cryptocurrency addresses and replaced them with attacker-controlled destinations; investigators said the campaign ran from April 2020 to January 2023, spread 2.8 million copies worldwide, and led to about KRW 1.7 billion ($1.2 million) stolen in 8,400 transactions from users of 3,100 virtual asset addresses, with a December 2024 raid in Lithuania yielding 22 seized items and incriminating evidence.
Show sources
- Hacker arrested for KMSAuto malware campaign with 2.8 million downloads — www.bleepingcomputer.com — 29.12.2025 21:25
- Hacker arrested for KMSAuto malware campaign with 2.8 million downloads — www.bleepingcomputer.com — 29.12.2025 21:25