Attackers are exploiting Discord, a popular communication platform for gamers and streamers, to distribute a stealthy clipboard hijacker. This malicious software targets cryptocurrency users by silently replacing wallet addresses when victims paste them, leading to unauthorized fund transfers. The threat actor, identified as “RedLineCyber,” focuses on fostering trust within gaming and cryptocurrency-related Discord communities before distributing the malware disguised as a helpful tool.
The campaign, uncovered by CloudSEK analysts, involves a fake persona named “RedLine Solutions” that befriends server members. This actor then privately shares malicious Windows executables, typically named Pro.exe or peeek.exe, claiming they aid in managing or securing wallet addresses during live streams. This social engineering tactic effectively bypasses initial suspicion, turning trust into a vector for financial theft. The malware’s primary function is to monitor clipboard activity and swap cryptocurrency wallet addresses with those controlled by the attackers, making the theft nearly undetectable until funds are irrevocably lost.
Attackers Abuse Discord to Deliver Clipboard Hijacker
The sophistication of this attack lies in its targeted nature and its exploitation of common user behaviors. Streamers and active cryptocurrency traders often copy and paste lengthy wallet addresses, making them susceptible to minor errors or malicious replacements. The malware is designed to remain dormant and operate with minimal system resource usage, allowing it to persist undetected for extended periods while awaiting opportune moments for high-value transactions. Blockchain analysis has already revealed theft across multiple major cryptocurrencies, including Bitcoin, Ethereum, Solana, Dogecoin, Litecoin, and Tron, indicating the widespread impact of this operation.
CloudSEK researchers detailed how the threat actor operates within underground forums and Discord channels, identifying the “RedLine Solutions” persona and tracing the malware’s origin. The malicious program is a Python-based executable packed using PyInstaller, designed to run on systems without a Python installation. Unlike traditional information-stealing malware, this campaign’s focus is narrow and highly effective: manipulating clipboard data specifically related to cryptocurrency transactions. This singular focus allows for a more refined and efficient theft mechanism.
Infection Mechanism and Clipboard Hijacking Logic
Upon execution, the malicious program installs itself by creating a folder named “CryptoClipboardGuard” within the Windows %APPDATA% directory. It then registers itself with the current user’s registry Run key, ensuring automatic startup with every system boot. This persistence mechanism operates in the background without any visible user interface, further contributing to its stealth capabilities. The bundled Python runtime and obfuscated bytecode are key components that allow the malware to function across diverse system configurations.
The malware operates in a continuous loop, checking the contents of the user’s clipboard approximately three times per second. When the clipboard content changes, it is scanned against a series of base64-encoded regular expressions designed to match the formatting of popular cryptocurrency wallet addresses. If a match is found, the malware immediately replaces the copied address with a pre-defined attacker-controlled wallet address specific to that cryptocurrency. All detected swaps are logged in an “activity.log” file located within the %APPDATA%CryptoClipboardGuard directory.
This process of replacement occurs almost instantaneously between the user copying the address and pasting it. Consequently, victims are unlikely to notice the alteration until their funds are sent to the attacker’s wallet. Due to the irreversible nature of cryptocurrency transactions, recovery of stolen funds becomes exceptionally difficult once the transfer is initiated. The lack of command-and-control traffic further complicates detection and mitigation efforts for security professionals.
The ongoing nature of this threat highlights the persistent risks associated with social engineering tactics within online communities. As attackers continually evolve their methods, users of platforms like Discord are advised to exercise extreme caution when downloading and executing files, even from seemingly trusted sources. Verifying wallet addresses meticulously before confirming any transaction remains a critical safeguard against such clipboard hijacking attacks.