Ghost Networks crypto-clipper promotion campaign
Campaign
Summary
Hide ▲
Show ▼
The unknown threat actor is running an active June 2026 cross-platform promotion campaign that uses fake reputation signals to push a cryptocurrency clipboard hijacker. The operation spreads through paid/promoted posts, fake accounts, and boosted activity on VirusTotal, GitHub, SourceForge, YouTube, and EIN Presswire. It targets cryptocurrency asset holders and online gamblers who may trust the artificially inflated download counts and reviews before installing the lure. If they do, the hidden Rust-based clipper can swap wallet addresses and divert funds to attacker-controlled accounts.
Related Happenings
Rust-based clipboard hijacker that swaps wallet addresses
Malware Activity
H score10
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
How related:
The Rust-based clipper targets both Windows and macOS systems, and continuously monitors the clipboard for content that matches a cryptocurrency wallet address pattern. When a match is found, the malware substitutes the wallet address with an attacker-controlled address pulled from a hard-coded list, effectively routing the digital assets to them.
About this happening:
The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...
Rust-based clipboard hijacker that swaps wallet addresses
Malware ActivityHow related: The Rust-based clipper targets both Windows and macOS systems, and continuously monitors the clipboard for content that matches a cryptocurrency wallet address pattern. When a match is found, the malware substitutes the wallet address with an attacker-controlled address pulled from a hard-coded list, effectively routing the digital assets to them.
About this happening: The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...
NFCShare fake banking-app update phishing campaign
Campaign
H score40
First: 09.06.2026 01:11
Last: 09.06.2026 01:11
Sources 1
About this happening:
The **NFCShare** phishing campaign is using **fake banking-app updates** on **GitHub** to steal **payment card data** from customers of multiple banks across **Europe**, expanding...
NFCShare fake banking-app update phishing campaign
CampaignAbout this happening: The **NFCShare** phishing campaign is using **fake banking-app updates** on **GitHub** to steal **payment card data** from customers of multiple banks across **Europe**, expanding...
JINX-0164 cryptocurrency recruitment-lure campaign
Campaign
H score39
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
JINX-0164 cryptocurrency recruitment-lure campaign
CampaignAbout this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
Lucifer DaaS’s evolution into a commission-based drainer service platform
Threat Actor Meta
H score19
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
**Lucifer DaaS** has evolved into a **structured underground drainer platform**, shifting wallet theft from isolated phishing pages to a commission-based service model that scales...
Lucifer DaaS’s evolution into a commission-based drainer service platform
Threat Actor MetaAbout this happening: **Lucifer DaaS** has evolved into a **structured underground drainer platform**, shifting wallet theft from isolated phishing pages to a commission-based service model that scales...
Gremlin stealer modular toolkit evolution
Malware Activity
H score21
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Gremlin stealer modular toolkit evolution
Malware ActivityAbout this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Timeline
-
17.06.2026 21:14 2 articles · 1h ago
Ghost Networks campaign promotes a Rust-based crypto clipboard hijacker
Campaign Scope UpdateCheck Point Research says an unknown threat actor used paid or promoted posts on legitimate news websites, fake accounts, a dedicated WordPress phishing page, GitHub and SourceForge projects, a YouTube channel created in July 2020, and coordinated VirusTotal activity to build trust around a Rust-based crypto clipboard hijacker hidden in Solana and Pump.fun sniper bots and crash-game predictors. The malware targets cryptocurrency asset holders and online gamblers, monitors Windows and macOS clipboards for wallet addresses, and swaps matching content with attacker-controlled addresses.
Show sources
- Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments — thehackernews.com — 17.06.2026 21:14
- Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments — thehackernews.com — 17.06.2026 21:14