Become a TechRadar Insider
- Check Point Research uncovers PR‑style campaign distributing a Rust clipboard hijacker disguised as legitimate software
- Attackers used phishing sites, GitHub/SourceForge projects, fake YouTube channels, and even newswire press releases to boost credibility
- Malware swaps crypto wallet addresses from clipboard, with “Ghost Networks” manipulating reputation systems to evade detection
Hackers have launched a fully fledged, multi-platform PR campaign to trick people into thinking that the malware they’re distributing is actually legitimate software, experts have warned.
A report from Check Point Research warned that even those doing regular due diligence might get tricked.
At the center of the campaign is a clipboard jacker - a piece of infostealer malware that monitors the victim’s clipboard for cryptocurrency wallet strings. When it detects one, it replaces it with a different one belonging to the attackers. That way, when a victim tries to send money from one wallet to another, they end up paying the attackers instead. Both Windows and macOS users are at risk.
Abusing newswire sites
“The threat actor uses multiple channels to promote and distribute a Rust clipboard hijacker, starting with a dedicated phishing page as the central hub and extending to GitHub and SourceForge projects promoted by fake accounts,” the company said.
“A dedicated YouTube channel, using AI‑generated narrators, suspicious view spikes, and highly positive (likely coordinated) comments, further reinforces the illusion of popularity and trustworthiness.”
To distribute the malware, the attackers ran a rather aggressive PR campaign: they set up a dedicated phishing page, multiple GitHub and SourceForge projects and accounts, as well as a fake YouTube channel. But the most surprising part is distributing news articles through newswire sites.
Newswire sites are services that distribute company press releases and announcements to media outlets, journalists, websites, and investors. Most newswire services allow anyone to submit and distribute press releases, usually for a fee, but they are generally seen as a legitimate source of trustworthy news.
At the same time, the hackers went the extra mile to make sure the clipboard jacker isn’t flagged as malware. By using numerous fake accounts (so called “Ghost Networks”) they’re manipulating reputation-driven systems like VirusTotal, tricking researchers and potential users into thinking the programs are a false positive.
“Even if this campaign is not primarily aimed at large enterprises, it shows that attackers no longer rely only on classic malware distribution techniques to reach victims,” the researchers concluded. “Instead, they can manipulate reputation systems, crowd‑sourced feedback, and cross‑platform promotion to lower suspicion and attract more users.”
Via The Hacker News
➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.