- Check Point Research Uncovers PR Campaign Distributing Rust Clipboard Hijacker Disguised as Legitimate Software
- Attackers used phishing sites, GitHub/SourceForge projects, fake YouTube channels, and even news press releases to boost credibility.
- Malware swaps crypto wallet addresses from the clipboard and “ghostnets” manipulate reputation systems to evade detection.
Experts have warned that hackers have launched a cross-platform PR campaign to trick people into believing that the malware they are distributing is actually legitimate software.
A report from Check Point Research warned that even those who regularly perform due diligence could be deceived.
At the center of the campaign is a clipboard hijacker, a piece of information-stealing malware that monitors a victim’s clipboard for cryptocurrency wallet chains. When it detects one, it replaces it with a different one belonging to the attackers. That way, when a victim tries to send money from one wallet to another, they end up paying the attackers. Both Windows and macOS users are at risk.
Abuse news sites
“The threat actor uses multiple channels to promote and distribute a Rust clipboard hijacker, starting with a dedicated phishing page as a hub and extending to GitHub and SourceForge projects promoted by fake accounts,” the company said.
“A dedicated YouTube channel, using AI-generated narrators, suspicious viewing spikes, and very positive (probably coordinated) comments, further reinforces the illusion of popularity and trustworthiness.”
To distribute the malware, the attackers carried out a fairly aggressive PR campaign: they created a dedicated phishing page, multiple GitHub and SourceForge projects and accounts, as well as a fake YouTube channel. But the most surprising part is the distribution of news articles through news sites.
Newswire sites are services that distribute company press releases and announcements to media outlets, journalists, websites and investors. Most news services allow anyone to submit and distribute press releases, usually for a fee, but they are generally considered a legitimate source of reliable news.
At the same time, the hackers went an extra mile to make sure that the clipboard hijacker is not marked as malware. By using numerous fake accounts (so-called “ghost networks”), they are manipulating reputation-based systems like VirusTotal, fooling researchers and potential users into thinking that the programs are a false positive.
“Even if this campaign is not primarily aimed at large companies, it demonstrates that attackers no longer rely solely on classic malware distribution techniques to reach victims,” the researchers concluded. “Instead, they can manipulate reputation systems, collective feedback, and cross-platform promotion to reduce suspicion and attract more users.”
Through Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
