Rust-based clipboard hijacker spreading via fake crypto tools
Malware Activity
Summary
Hide ▲
Show ▼
A Rust-based clipboard hijacker is spreading through fake crypto tools and silently replacing copied wallet addresses, putting Windows and macOS users at risk of theft. The operation uses bogus GitHub stars, inflated download counts, and AI-narrated YouTube tutorials to make the downloads look legitimate. A WordPress phishing page serves as the distribution hub, and the malware runs at startup to persist on infected systems. On macOS, a bundled unlocker script helps users bypass Apple quarantine and Gatekeeper, increasing the chance the unsigned app will run.
Related Happenings
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware Activity
H score29
First: 18.06.2026 17:30
Last: 18.06.2026 17:30
Sources 1
About this happening:
A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware ActivityAbout this happening: A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
Windows cryptocurrency clipper campaign targeting users via USB LNK worms
Campaign
H score32
First: 18.06.2026 17:30
Last: 18.06.2026 17:30
Sources 1
About this happening:
A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...
Windows cryptocurrency clipper campaign targeting users via USB LNK worms
CampaignAbout this happening: A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...
SocGholish malware downloader hijacking WordPress sites
Malware Activity
H score53
First: 18.06.2026 16:25
Last: 18.06.2026 16:25
Sources 1
About this happening:
SocGholish is a long-running **JavaScript-based malware downloader** that hijacks **legitimate WordPress sites** to push **fake browser updates**, creating a persistent path for v...
SocGholish malware downloader hijacking WordPress sites
Malware ActivityAbout this happening: SocGholish is a long-running **JavaScript-based malware downloader** that hijacks **legitimate WordPress sites** to push **fake browser updates**, creating a persistent path for v...
Ghost Networks crypto-clipper promotion campaign
Campaign
H score15
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
How related:
The campaign stands out for the effort it puts into looking legitimate. Check Point said the actor leaned on "Ghost Networks" of fake accounts to manufacture social proof across several platforms, including:
About this happening:
**Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Ghost Networks crypto-clipper promotion campaign
CampaignHow related: The campaign stands out for the effort it puts into looking legitimate. Check Point said the actor leaned on "Ghost Networks" of fake accounts to manufacture social proof across several platforms, including:
About this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale
Threat Actor Meta
H score31
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
About this happening:
North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...
North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale
Threat Actor MetaAbout this happening: North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...
Timeline
-
18.06.2026 18:00 2 articles · 1h ago
Rust clipboard hijacker campaign hides behind fake crypto tools and planted reputation signals
Initial DisclosureAn unnamed actor is using bogus GitHub stars, inflated SourceForge downloads, AI-narrated YouTube tutorials, planted VirusTotal votes, and a WordPress phishing hub to push booby-trapped crypto tools aimed at crypto traders and gamblers; the resulting Rust clipboard hijacker runs on Windows and macOS, persists at startup, watches the clipboard for wallet addresses, swaps them for attacker-controlled addresses, and on macOS adds an unlocker script to help users bypass Apple's quarantine and Gatekeeper.
Show sources
- Fake GitHub Stars and AI Videos Mask a Crypto Clipper — www.infosecurity-magazine.com — 18.06.2026 18:00
- Fake GitHub Stars and AI Videos Mask a Crypto Clipper — www.infosecurity-magazine.com — 18.06.2026 18:00