Do Son 
Phishing page | Image: Check Point
At a Glance
| Malware family | Rust clipboard hijacker (clipper), Windows and macOS |
|---|---|
| Threat actor | Single operator tied to Telegram handle @JoseCmanXD (suspected) |
| Targets | Crypto holders, crash-game gamblers, and traders |
| Delivery | WordPress phishing site, GitHub, SourceForge, YouTube, news posts, BitcoinTalk |
| Key capabilities | Clipboard monitoring, wallet-address swapping, self-healing persistence |
| Source | Check Point Research |
TL;DR
Check Point Research uncovered a crypto clipboard hijacker that steals funds by swapping wallet addresses. The attacker hides the malware behind fake stars, views, and “safe” votes across many platforms. Both Windows and macOS users face the threat.
Why This Campaign Stands Out
The malware itself is old news. The promotion is the real twist. According to Check Point, the operator “behaves less like a hacker than a marketer.” He inflates download counts, posts coordinated five-star reviews, and runs tutorial videos. He even promotes the tools on crypto forums like BitcoinTalk. As a result, victims see social proof everywhere they look.
Check Point calls these fake-account clusters “Ghost Networks.” These networks star and fork repositories, spike video views, and post glowing comments. Together, they build a false sense of trust before a victim clicks download.
Delivery
A WordPress phishing site acts as the central hub. From there, the actor points victims to GitHub and SourceForge projects. A YouTube channel adds AI-generated tutorial videos. The lures promise an unfair edge: Solana sniper bots, an “Aviator Predictor,” and crash-game predictors. These offers target people chasing quick, automated profit.
The actor even seeded promotional posts on legitimate news sites. Check Point found press-release-style articles that linked back to the phishing page. This crypto clipboard hijacker gained borrowed credibility from trusted outlets.
Suspected Attribution
Check Point ties the activity to one operator behind the handle @JoseCmanXD. The same handle appears on the phishing site, Telegram, and YouTube. This attribution is suspected, not formally confirmed. The actor has shared crypto-stealer tools on hacking forums since 2019.
Infection Chain
Victims download a ZIP archive from one of these sources. On Windows, a small .NET loader runs a bundled Rust executable. That executable is the actual clipper. It copies itself into a hidden user folder and adds a startup entry for persistence.
The macOS path works much the same way. A bundled “unlocker” script strips Apple’s quarantine flag from the app. Then a background service keeps the clipper running at every login. A watchdog rewrites its own files to survive manual removal.
Command Server and Theft
This clipper hides in the background and watches the clipboard. When it spots text shaped like a wallet address, it swaps in an attacker-controlled address. The victim then pastes the wrong address and sends funds straight to the attacker.
The Windows variant carries over 15,500 wallet addresses across many coins. Notably, the malware needs no live command server for this step. The wallet lists ship inside the binary itself. After a successful theft, the actor rotates to a fresh wallet to stay clean.
Reputation Abuse on VirusTotal
The actor also games VirusTotal. Some samples receive benign votes and “safe” comments while detection stays low. Check Point warns that this mix “creates a strong, but false, impression of safety.” Reputation-based defenses may then misjudge a clearly malicious file.
Scale and Impact
The numbers point to wide exposure. GitHub showed over 5,000 downloads, including about 1,250 for a macOS build. SourceForge logged 44,485 downloads, though many look fake. One repository alone displayed 146 stars and 62 forks. Check Point also flagged 37,460 SourceForge downloads from Android devices. That figure is odd, since the actor offers only Windows and macOS builds.
Defense and Detection
Treat engagement metrics with suspicion. Stars, views, and upvotes do not prove safety. Avoid “free” trading bots, predictors, and game-cheat tools. Always recheck a wallet address after you paste it, before sending funds. Endpoint tools may miss this clipper because of its low detection rate. Therefore, user caution stays the strongest defense.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
