A sophisticated cyber threat has been detected, with hackers exploiting a fake Proxifier installer hosted on GitHub to distribute the ClipBanker cryptocurrency-stealing malware. This malicious campaign, active since early 2025, targets unsuspecting users seeking the popular proxy software, silently siphoning digital assets by hijacking clipboard data.
Researchers from Securelist detailed the operation, which begins by manipulating search engine results to prominently feature a malicious GitHub repository mimicking the legitimate Proxifier project. The repository contains what appears to be a legitimate download package, including an executable installer and activation keys, lulling victims into a false sense of security. However, the installer is a carefully crafted Trojan designed to infiltrate user systems and steal cryptocurrency.
According to Oleg Kupreev, an analyst at Securelist, the campaign has seen over 2,000 users of Kaspersky security solutions fall victim since its inception. The majority of these infections have been reported in India and Vietnam, indicating a targeted geographic focus. The ClipBanker malware is specifically engineered to target cryptocurrency holders by monitoring and manipulating clipboard contents.
Deep Dive into the ClipBanker Infection Chain
The infection process orchestrated by the fake Proxifier installer is remarkably complex, employing multiple stages to evade detection and maintain persistence. Upon execution of the malicious installer, a diminutive stub file, approximately 1.5 KB in size, is created in the system’s temporary folder. This stub is designed to appear as a legitimate Proxifier process, further obscuring its malicious intent.
A .NET application, identified as api_updater.exe, is then injected into this stub. Its primary function is to silently add exclusions to Microsoft Defender for temporary files and the current directory. This critical step ensures that subsequent stages of the malware’s execution proceed without raising security alerts, allowing the infection to progress undetected.
Meanwhile, the genuine Proxifier installer is brought to the forefront to occupy the user’s attention, creating a diversion while the background operations continue. The Trojan injects another component, proxifierupdater.exe, which in turn injects malicious code into conhost.exe, a legitimate Windows system utility. This technique allows for the execution of an obfuscated PowerShell script directly in memory, a fileless approach that significantly hinders detection and removal efforts.
The PowerShell script performs several crucial functions. It adds both PowerShell and conhost.exe processes to Defender’s exclusion list, thus solidifying its foothold. Subsequently, it stores an encoded script within a registry key at HKLMSOFTWARESystem::Config. A scheduled task, cryptically named “Maintenance Settings Control Panel,” is also established to activate the malware each time the user logs in.
Upon activation, this scheduled task retrieves the encoded script from the registry, decodes it, and then fetches the next stage of the payload from Pastebin-like services. The final payload, delivered as shellcode, is injected into fontdrvhost.exe, a system process. It is at this stage that ClipBanker becomes fully active, meticulously observing the clipboard for any detected cryptocurrency wallet addresses. Once an address is identified, the malware swiftly replaces it with a wallet address controlled by the attackers.
The reach of ClipBanker is extensive, supporting over 26 different blockchain networks. This includes major cryptocurrencies such as Bitcoin, Ethereum, Solana, Monero, Dogecoin, TRON, Ripple, and Litecoin, among others. This broad compatibility increases the likelihood of successful theft across diverse cryptocurrency ecosystems.
Mitigation Strategies and User Precautions
To safeguard against this and similar threats, users are strongly advised to exercise extreme caution when downloading software. Prioritize obtaining software exclusively from official and verified developer websites. Utilizing a reputable and consistently updated security solution is paramount, as these tools can effectively detect and neutralize malware before it can inflict damage.
For individuals unable to opt for paid security software, a thorough verification of every download source is imperative before executing any file. The manipulation of search engine results by malicious actors like those behind the ClipBanker malware highlights the ongoing need for user vigilance in the digital landscape. The effectiveness of this campaign underscores the benefits of layered security approaches, combining proactive user education with robust technical defenses.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
