Clipboard Hijacker Campaign: How Ghost Networks Manipulate Trust

On June 17, 2026, Check Point Research published a groundbreaking analysis of a highly coordinated, multi-platform malware campaign that upends traditional models of cyber defense. Historically, threat actors have relied on stealth, sophisticated evasion techniques, and code obfuscation to slip past security controls. In this campaign, however, the adversary has opted for an aggressive, public-facing strategy: manufacturing an entire “fake reputation economy” to distribute a cross-platform clipboard hijacker. By building artificial popularity, coordinated reviews, and manipulated safety ratings across reputable developer, media, and security platforms, the threat actor systematically defeats human skepticism. This calculated social engineering effort lures victims—primarily cryptocurrency holders, automated traders, and online gamblers—into executing highly destructive payloads under the illusion of guaranteed safety.

The Rise of the “Fake Reputation Economy”: How Trust is Manufactured

Most modern cyber attacks rely on spear-phishing or drive-by downloads where the malware seeks to remain as quiet as possible. This campaign, however, behaves like a sophisticated digital marketing agency. To capture victims, the threat actor leverages specific high-yield financial lures: automated Solana and Pump.fun trading sniper bots, “Aviator Predictors,” and various crash-game forecasting utilities. These tools target users seeking automated shortcuts to quick, effortless profits.

To establish unshakeable credibility, the threat actor operates several highly coordinated “Ghost Networks”—autonomous clusters of automated or compromised accounts designed to manipulate metrics on widely trusted platforms:

• GitHub Abuse: The attacker operates at least five distinct, interconnected GitHub accounts, including Decryptor-j, crash-predictor1, roblox-script1, hack-scripts, and stake-mines. These accounts work in unison to cross-promote, star, fork, and download each other’s malicious repositories. One repository successfully generated over 146 stars and 62 forks solely through these automated puppet profiles, leading to more than 5,000 global downloads and infections directly from the platform.
• SourceForge Inflation: On SourceForge, the threat actor’s developer page boasted a staggering download count exceeding 44,400 downloads. However, a closer audit by security researchers revealed a massive anomaly: over 37,000 of those downloads originated from Android mobile devices, despite the malware strictly targeting desktop environments (Windows and macOS). This indicates that the threat actor utilized physical or emulated Android device farms to simulate real traffic and artificially inflate credibility metrics.
• AI-Generated YouTube Tutorials: The attacker maintains a dedicated YouTube channel publishing high-quality “how-to” guides for the fake sniper bots and predictors. These videos feature realistic, synthetic AI-generated narrators guiding the viewer step-by-step. To finalize the illusion, the Ghost Networks flood the comment sections with highly coordinated, glowing reviews, while driving unnatural spikes in views to trick YouTube’s recommendation algorithms.
• Legitimate Media Exploitation: Elevating the campaign beyond basic web properties, the threat actor has actively purchased promoted or sponsored posts on legitimate news websites and popular cryptocurrency forums like BitcoinTalk. By flanking their software downloads with reputable journalism, the attacker creates an immediate veneer of authenticity that funnels targets to a centralized WordPress-based phishing hub.

Poisoning VirusTotal: Subverting Threat Intelligence and Security Controls

The most alarming development documented in this campaign is the targeted manipulation of sentiment and trust signals on VirusTotal. VirusTotal serves as the global threat intelligence aggregator that security teams, automated Security Operations Centers (SOCs), and risk engines rely on to flag malicious Indicators of Compromise (IOCs). Normally, if a file has a low antivirus detection rate, security professionals will look to community comments and votes to determine if the file is a false-positive.

The threat actor exploits this critical human and machine dependency by pointing their Ghost Networks directly at VirusTotal. Automated accounts are used to systematically cast “benign” upvotes and post highly convincing comments asserting that the files are entirely safe false-positives. When combined with the naturally low early-detection rates of freshly compiled, native payloads, this artificial sentiment manipulation completely distorts risk evaluations. Reputation-based automated controls are easily tricked into misclassifying highly toxic binaries as harmless. This shifts the battleground from escaping signature detection to actively hijacking the global systems of trust that security engines depend on.

Anatomy of a Modern Clipboard Hijacker: Deep Technical Breakdown

Beneath the elaborate marketing facade, the threat actor delivers a highly functional, native Rust-based clipboard hijacker designed to operate on both Windows and macOS systems. While many modern malware variants utilize heavy payloads or noisy network communications, this clipper is designed for passive, silent monetization. Once executed, it quietly monitors the system pasteboard and replaces cryptocurrency wallet addresses on the fly.

By compiling the binary in Rust, the developer gains immediate advantages: cross-platform execution, optimized performance, and a highly complex assembly structure that is notoriously difficult for security teams to analyze or reverse-engineer. Check Point Research’s dissection of the payloads revealed sophisticated, platform-specific infection loops.

The Windows Payload: Registry Persistence and API Hooking

On Windows systems, the threat actor deploys a lightweight .NET loader that drops and executes the main Rust-built clipper binary. The malware immediately runs a specialized sequence to ensure deep persistence and quiet clipboard listening:

• Persistence Routine: The payload copies itself to the local application data directory at %APPDATA%\silke\silke.exe. To survive system restarts, it writes a shortcut (.lnk file) directly into the user’s Startup folder, causing the operating system to launch the clipper silently at every logon.
• Clipboard Listener API Registration: Rather than using a resource-heavy polling loop that would trigger CPU usage alerts, the malware creates a hidden background window. It then registers this window as an official clipboard listener with the operating system using native Windows APIs, specifically AddClipboardFormatListener, OpenClipboard, GetClipboardData, EmptyClipboard, and SetClipboardData.
• Regex Monitoring & Address Swapping: Every time the clipboard contents change, the malware interceptor is called. It uses regular expressions to scan the copied text for strings matching alphanumeric patterns unique to distinct cryptocurrency chains. If the victim copies a wallet address for Bitcoin, Ethereum/EVM-compatible chains, Litecoin, Tron, XRP, Cardano, or other networks, the clipper instantly empties the clipboard and replaces the copied value with an attacker-controlled wallet address. These substitute addresses are pulled from a massive embedded list containing over 15,500 pre-generated attacker wallets, making the replacement address match the pattern of the victim’s intended address.

The macOS Payload: Gatekeeper Bypasses and Self-Healing Watchdogs

On macOS, the infection process is equally insidious, taking advantage of social engineering to bypass Apple’s stringent Gatekeeper security restrictions.

• Bypassing Gatekeeper: Upon downloading the malicious ZIP file, the user finds an instruction file named !!! READ THIS - RUN UNLOCKER IF APP IS BLOCKED.txt. This document instructs the user to run a packaged script named unlocker.command. When executed, this command script automatically strips Apple’s native quarantine attribute from the application bundle using xattr -cr, permitting the unsigned Rust binary to execute without triggering Gatekeeper warnings.
• LaunchAgent Persistence: To ensure the malware runs continuously, the macOS variant writes a shell script wrapper to ~/launch.sh and installs a persistence Property List (plist) file in the user’s local LaunchAgents folder at ~/Library/LaunchAgents/com.example..plist. The plist is written with RunAtLoad and KeepAlive properties, directing the macOS launchd daemon to silently start the script at login and automatically restart it if terminated.
• Self-Healing Watchdog: To prevent manual removal by the user or security tools, the macOS clipper runs a 30-second watchdog loop internally titled mw_watchdog_copy_and_relaunch. This loop continuously verifies the existence of both launch.sh and the LaunchAgent plist file. If either is deleted, the malware instantly regenerates them and clones the main binary using the native fcopyfile API, creating a self-healing loop that can only be broken by forcefully killing the parent process first.
• Regex Mapping: Unlike the Windows version which employs a dynamic list of over 15,500 addresses, the macOS version relies on a simpler structure where each regular expression pattern maps to a single, hardcoded, attacker-controlled wallet address per cryptocurrency type.

Mitigating the Threat: Redefining Digital Trust

The arrival of the “Ghost Networks” and manipulated safety signals marks a critical shift in the cyber-threat landscape. Security teams and end-users can no longer rely on external, crowdsourced reputation markers as a shortcut for trust. To defend against a highly sophisticated clipboard hijacker, organizations and individuals must adopt a strict zero-trust posture toward downloaded utilities:

1. Deconstruct Blind Reliance on Social Proof: Never assume high download counters on SourceForge, glowing comment sections on YouTube, high star counts on GitHub, or “benign” upvotes on VirusTotal indicate a file is safe. Treat all trading bots, crash predictors, and unofficial system utilities as suspicious, irrespective of their online popularity.
2. Perform Out-of-Band, Manual Address Verification: Because clipboard hijackers silently replace addresses on the fly, users must perform character-by-character validation of the recipient’s wallet address immediately prior to signing any transaction. This verification should be conducted using an out-of-band medium, such as a cold wallet physical screen, a secondary uncompromised device, or physical communication.
3. Implement Behavioral Endpoint Controls: Deploy Endpoint Detection and Response (EDR) solutions that monitor pasteboard/clipboard modifications. Security systems should alert on background processes that register as active clipboard listeners via APIs like AddClipboardFormatListener on Windows or execute xattr -cr commands to strip Gatekeeper attributes on macOS. Relying strictly on signature-based or reputation-based scans will no longer protect against newly compiled Rust binaries actively backed by artificial community consensus.