Overview of the Campaign
Cybersecurity researchers at CloudSEK have uncovered a stealth-focused malware campaign that leverages Discord as its primary distribution vector. The malware is designed to hijack clipboard content in real time to redirect cryptocurrency transactions to attacker-controlled wallets. The campaign specifically targets gaming, streaming, and cryptocurrency trading communities, where file-sharing behavior is common and security scrutiny is often low.
Initial Access and Delivery Mechanism
The malware is delivered as a Windows executable compiled from Python source code. The file is typically disguised as a legitimate utility or optimization tool and shared via Discord servers or direct messages. Social engineering plays a critical role, as the attacker embeds the malicious file within trusted community discussions to increase execution likelihood.
Once the victim downloads and executes the file, no elevated privileges are required, allowing the malware to run under standard user permissions and avoid privilege escalation alerts.
Execution and Persistence Techniques
Upon execution, the malware copies itself into a user-accessible directory such as %AppData% or %LocalAppData%. It then establishes persistence through Windows registry modification by creating an autorun entry under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This ensures the malware automatically launches on every system startup. The persistence mechanism is lightweight and does not rely on scheduled tasks or services, reducing its detection surface.
Clipboard Hijacking Functionality
The primary malicious capability is clipboard hijacking. After persistence is achieved, the malware continuously monitors clipboard activity by interfacing with the Windows Clipboard API. It scans copied content for patterns that match known cryptocurrency wallet address formats, including Bitcoin and Ethereum.
When a match is detected, the malware replaces the copied wallet address with a hardcoded attacker-controlled address. This substitution occurs almost instantaneously, often before the user pastes the content into a wallet or exchange application. Because the pasted address appears valid, the transaction proceeds without raising suspicion.
Evasion and Stealth Characteristics
Unlike traditional cryptojacking malware that performs unauthorized mining, this campaign avoids heavy CPU usage, GPU utilization, or sustained network communication. As a result, system performance remains unaffected, allowing the malware to evade detection mechanisms that rely on resource anomaly monitoring.
Additionally, the malware operates entirely in user space and does not inject into other processes. Basic obfuscation techniques are applied to the codebase to slow static analysis and reduce signature-based detection effectiveness.
Threat Actor Attribution and Operational Behavior
CloudSEK attributes the campaign to a threat actor operating under the alias RedLineCyber. The actor demonstrates moderate to high operational maturity, frequently rotating cryptocurrency wallet addresses and updating payload hashes to evade antivirus signatures and complicate blockchain tracing efforts.
The actor’s focus on clipboard hijacking reflects a clear intent to prioritize reliability and stealth over large-scale infection volume.
Impact Assessment
The impact of this malware is financially significant due to the irreversible nature of cryptocurrency transactions. Victims typically detect the compromise only after funds are transferred. Because no credentials are stolen and no obvious malicious activity occurs, post-incident forensic analysis can be challenging.
Detection and Mitigation Recommendations
Defensive strategies should include monitoring abnormal clipboard API access, registry autorun modifications, and unauthorized executable launches from user directories. Endpoint security tools with behavioral detection capabilities are more effective than signature-based solutions for identifying this threat.
Users should manually verify wallet addresses before approving cryptocurrency transactions and avoid executing binaries shared via social platforms without validation.
No Comment! Be the first one.