A new Linux malware, dubbed ClipXDaemon, has emerged as a significant threat to cryptocurrency users operating within X11 desktop environments. This sophisticated threat operates without relying on traditional command-and-control (C2) servers, instead independently monitoring system clipboards. By silently replacing legitimate cryptocurrency wallet addresses with ones controlled by attackers, ClipXDaemon poses a direct financial risk to unsuspecting users. The malware was first identified in early February 2026, exhibiting a common obfuscation technique used by other Linux-based malware families.
ClipXDaemon’s primary modus operandi involves meticulously watching the clipboard every 200 milliseconds. When a user copies a cryptocurrency wallet address, the malware intercepts this action and substitutes it with an attacker-controlled address before the user can paste it. This stealthy replacement often goes unnoticed until funds are irrevocably sent to the wrong destination. The malware’s C2-less architecture renders many standard network-based detection and defense mechanisms ineffective, as it requires no outbound connections or external infrastructure to function.
ClipXDaemon: A Silent Financial Threat Targeting Linux Users
The discovery of ClipXDaemon was made by security analysts at Cyble, who noted its targeting of eight popular cryptocurrency formats: Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON. The malware employs