The operation centred on a Rust-based clipboard hijacker, known in cybercrime circles as a clipper, that monitors copied wallet addresses and silently replaces them with addresses controlled by the attacker. The malware was built for Windows and macOS and was hidden inside tools marketed to crypto traders and online gamblers seeking quick gains through Solana and Pump. fun sniper bots, Aviator predictors and crash-game prediction software.
The campaign marks a shift from conventional malware delivery towards a broader reputation-building strategy. Instead of relying only on hidden payloads or phishing lures, the actor created a public-facing ecosystem designed to withstand casual scrutiny. Victims checking GitHub stars, SourceForge downloads, YouTube tutorials, news-style promotional posts or VirusTotal comments could find what appeared to be signs of legitimacy.
Check Point Research traced the activity to a single threat actor using a WordPress phishing site as the main hub. The site directed visitors to GitHub, SourceForge and YouTube pages carrying the same branding and download links. A Telegram contact using the handle @JoseCmanXD appeared across parts of the network, helping connect the website, videos and promotional material.
The malicious files were promoted as software that could automate trading or predict betting outcomes. Such themes are frequently used to target users already prepared to install unverified tools, disable security warnings or overlook suspicious behaviour in the hope of financial advantage. The campaign’s likely victim pool included crypto holders, meme-coin traders and online gambling users.
On GitHub, at least six accounts appeared to promote or distribute the software, with some repositories showing inflated engagement. One repository displayed 146 stars and 62 forks, figures that would ordinarily suggest community interest. The accounts identified in the operation included Decryptor-j, crash-predictor1, roblox-script1, hack-scripts and stake-mines. GitHub downloads linked to the known accounts exceeded 5,000, including more than 1,250 downloads of a macOS version of Aviator Predictor.
SourceForge activity showed a larger distortion. The relevant projects displayed 44,485 downloads, but 37,460 were attributed to Android devices despite the actor offering only Windows and macOS versions. That mismatch points to artificial traffic generation, possibly through an Android device farm used to inflate download counters and create false credibility.
The YouTube element added another layer of social proof. A dedicated channel with more than 91,000 subscribers promoted the tools through tutorial-style videos using AI-generated narrators. View counts showed unusual spikes rather than steady organic growth, while comment sections carried highly positive responses that appeared coordinated. Some comments from likely real users complained that the promoted tools did not work as advertised.
The malware itself is technically straightforward but effective. On Windows, victims downloaded ZIP archives containing multiple files, though the main execution path led to a. NET loader that launched a Rust-built executable. The payload copied itself into the user’s application data folder and created a startup shortcut, allowing it to run automatically after login. Once active, it continuously scanned the clipboard for wallet address formats and swapped matches with attacker-controlled addresses drawn from embedded lists.
The macOS version followed the same objective, targeting users who believed they were installing trading or prediction tools. Because crypto transfers are irreversible and wallet addresses are long strings that many users verify only partially, clipboard hijacking can succeed even when a victim believes the transaction details have been checked.
The operation also sought to manipulate security reputation systems. Some malware samples received benign votes and favourable comments on VirusTotal, reducing the chance that wary users would treat low detection scores as suspicious. That tactic raises concern for security teams that depend partly on crowdsourced reputation signals when triaging files.
The use of promotional posts on legitimate news websites and press-release networks further broadened the campaign’s reach. Several such posts appear to have been published on the same day, April 27, 2026, before many were removed. Their purpose was to place malicious tools beside trusted content and search-indexed pages, strengthening the illusion that the software had public validation.
Arabian Post – Crypto News Network
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
