Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AI Used in Ticketmaster Attack to Score Free Tickets
July 3, 2026
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
Home/Threats/Fake Proxifier Installer on GitHub Spreads ClipBanker Malware
Threats

Fake Proxifier Installer on GitHub Spreads ClipBanker Malware

Key Takeaways A sophisticated malware campaign is targeting cryptocurrency users through a fake Proxifier installer hosted on GitHub. The malicious installer deploys ClipBanker, a Trojan designed to...

Emy Elsamnoudy
Emy Elsamnoudy
April 14, 2026 4 Min Read
29 0

Key Takeaways

  • A sophisticated malware campaign is targeting cryptocurrency users through a fake Proxifier installer hosted on GitHub.
  • The malicious installer deploys ClipBanker, a Trojan designed to hijack clipboard data and replace legitimate crypto wallet addresses with attacker-controlled ones.
  • The attack chain employs multiple stealthy stages, including Defender exclusions and fileless execution, to evade detection.
  • Over 2,000 users, primarily in India and Vietnam, have encountered this threat since early 2025.

Cybercriminals are actively deploying a deceptive malware operation that leverages a counterfeit installer for Proxifier, a popular proxy software, to compromise the digital assets of cryptocurrency users. This ongoing campaign, identified by security researchers, aims to steal funds by subtly altering clipboard data.

Table Of Content

  • Key Takeaways
  • The Deceptive Lure: How the Campaign Begins
  • ClipBanker: The Crypto-Stealing Mechanism
  • Inside the Infection Chain: How ClipBanker Evades Detection
  • What You Should Do

The attackers have established a convincing GitHub repository, meticulously crafted to mimic an official Proxifier download source. However, the software installer offered within this repository is a Trojan. Once executed, it covertly monitors and manipulates clipboard content, specifically targeting cryptocurrency wallet addresses to divert funds to the perpetrators.

The Deceptive Lure: How the Campaign Begins

The infection chain frequently commences with a user searching for “Proxifier” on a search engine. Among the top results, a link to the malicious GitHub repository appears, designed to look legitimate. The project page itself is convincing, even displaying source code for a basic proxy service. Within the “Releases” section, victims find a downloadable archive that contains an executable file alongside a text document featuring what appear to be software activation keys, further enhancing its credibility. Unbeknownst to the user, this executable is a malicious wrapper that installs the genuine Proxifier software while simultaneously deploying the ClipBanker Trojan in the background.

Researchers at Securelist identified this campaign in early 2026, with analyst Oleg Kupreev noting its active presence since the beginning of 2025. The researchers characterized the infection process as unusually intricate, featuring multiple layered stages specifically engineered to maintain the malware’s stealth throughout its operation. Since early 2025, more than 2,000 users utilizing Kaspersky security solutions have encountered this threat, with the majority of affected individuals located in India and Vietnam.

ClipBanker: The Crypto-Stealing Mechanism

ClipBanker functions as a clipboard-hijacking Trojan, specifically engineered to target cryptocurrency transactions. When a victim copies a cryptocurrency wallet address—for instance, to send funds—the malware surreptitiously intercepts and replaces the legitimate address with an address controlled by the attackers. This sophisticated threat is capable of operating across more than 26 blockchain networks, including prominent ones like Bitcoin, Ethereum, Solana, Monero, Dogecoin, TRON, Ripple, and Litecoin, thereby granting the attackers extensive reach across diverse crypto ecosystems.

The efficacy of this campaign stems from its highly convincing presentation. The threat actors have actively manipulated search engine results to ensure their malicious GitHub repository ranks prominently, increasing the likelihood of users encountering it. A user downloading what appears to be a legitimate, free software utility would have no immediate cause for suspicion, until their cryptocurrency assets vanish without a trace.

Inside the Infection Chain: How ClipBanker Evades Detection

Upon execution of the trojanized installer, the malware initiates its multi-stage infection process. Initially, it creates a small stub file, approximately 1.5 KB in size, within the system’s temporary directory. This file is named to impersonate a legitimate Proxifier process. Subsequently, a .NET application, named api_updater.exe, is injected into this stub. Its primary function is to discreetly establish Microsoft Defender exclusions for temporary files (TMP files) and the current working directory. This critical step ensures that subsequent stages of the infection proceed unimpeded by security alerts.

While the authentic Proxifier installer proceeds in the foreground, providing a semblance of normal operation to the unsuspecting victim, the Trojan continues its malicious activities in the background. It injects another module, proxifierupdater.exe, which then further injects malicious code into conhost.exe, a trusted Windows system utility. Through this intricate process, an obfuscated PowerShell script is executed directly in memory, leaving no discernible trace on the hard drive. This fileless execution technique significantly complicates detection and timely removal of the malware.

The PowerShell script performs several crucial functions: it adds PowerShell and conhost.exe processes to Defender’s exclusion list, stores an encoded script within a registry key at HKLMSOFTWARESystem::Config, and registers a scheduled task named “Maintenance Settings Control Panel.” This scheduled task is configured to activate upon each user login. It retrieves and decodes the stored script, which then fetches the next payload from Pastebin-type services. Following a final download from GitHub, the shellcode is injected into fontdrvhost.exe, at which point ClipBanker commences its stealthy monitoring of the clipboard for cryptocurrency wallet addresses to replace.

What You Should Do

  • Download Software from Official Sources Only: Always obtain software directly from the vendor’s official website or trusted application stores. Avoid third-party repositories or unofficial download sites, especially for popular tools.
  • Verify Download Integrity: If available, verify checksums or digital signatures of downloaded files against the official vendor’s published values.
  • Use Robust Endpoint Security: Ensure a reliable, up-to-date antivirus or endpoint detection and response (EDR) solution is installed and actively scanning your system. Regularly update its definitions.
  • Practice Clipboard Verification: When transferring cryptocurrency, always double-check the recipient’s wallet address immediately before confirming the transaction, even if you copied it. Manually compare the first and last few characters of the address.
  • Be Skeptical of Free Software: Exercise extreme caution with “free” versions of commercial software offered outside of official channels, as these are common vectors for malware distribution.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Rockstar Games Suffers Data Breach Affecting 78.6 Million Users

Next Post

APT41 Uses New Winnti Backdoor to Steal Credentials from Linux Cloud Servers

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
July 2, 2026
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us