CyberSecurityBoardThreat Intel · CVEs · Products
Malware

Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments

June 25, 2026

An unknown threat actor has been observed leveraging paid or promoted posts on legitimate news websites to promote a cryptocurrency clipboard hijacker. The campaign uses a dedicated WordPress phishing page, GitHub and SourceForge projects promoted by fake accounts, a YouTube channel, and coordinated activity on VirusTotal to misclassify malicious files as safe.

The Rust-based clipper targets both Windows and macOS systems, monitoring the clipboard for cryptocurrency wallet address patterns and substituting them with attacker-controlled addresses. The threat actor uses Ghost Networks to poison reputation systems like VirusTotal through upvotes and positive comments. On GitHub, at least six accounts cross-promote the malware, with one repository having 146 stars and 62 forks. On SourceForge, the download counter reached 44,485, with 37,460 supposedly from Android devices despite only Windows and macOS versions being offered, suggesting an Android farm was used to inflate counts.

The campaign also includes a YouTube channel with over 91,000 subscribers featuring AI-generated narrators and positive comments. A press release distribution service (EIN Presswire) was used to market the tool, syndicated across partner news websites including the USA TODAY Network. Check Point Research noted that this manipulation of sentiment and reputation across crowd-sourced platforms marks a meaningful shift in how attackers build trust.

CVEs: CVE-2026-11645

Malware: Crypto Clipper

Companies: Check Point Research, EIN Presswire, USA TODAY Network, GitHub, SourceForge, VirusTotal, WordPress, YouTube