Fake Proxifier Installer on GitHub Spreads ClipBanker Malware
Key Takeaways A sophisticated malware campaign is targeting cryptocurrency users through a fake Proxifier installer hosted on GitHub. The malicious installer deploys ClipBanker, a Trojan designed to...
Key Takeaways
- A sophisticated malware campaign is targeting cryptocurrency users through a fake Proxifier installer hosted on GitHub.
- The malicious installer deploys ClipBanker, a Trojan designed to hijack clipboard data and replace legitimate crypto wallet addresses with attacker-controlled ones.
- The attack chain employs multiple stealthy stages, including Defender exclusions and fileless execution, to evade detection.
- Over 2,000 users, primarily in India and Vietnam, have encountered this threat since early 2025.
Cybercriminals are actively deploying a deceptive malware operation that leverages a counterfeit installer for Proxifier, a popular proxy software, to compromise the digital assets of cryptocurrency users. This ongoing campaign, identified by security researchers, aims to steal funds by subtly altering clipboard data.
Table Of Content
The attackers have established a convincing GitHub repository, meticulously crafted to mimic an official Proxifier download source. However, the software installer offered within this repository is a Trojan. Once executed, it covertly monitors and manipulates clipboard content, specifically targeting cryptocurrency wallet addresses to divert funds to the perpetrators.
The Deceptive Lure: How the Campaign Begins
The infection chain frequently commences with a user searching for “Proxifier” on a search engine. Among the top results, a link to the malicious GitHub repository appears, designed to look legitimate. The project page itself is convincing, even displaying source code for a basic proxy service. Within the “Releases” section, victims find a downloadable archive that contains an executable file alongside a text document featuring what appear to be software activation keys, further enhancing its credibility. Unbeknownst to the user, this executable is a malicious wrapper that installs the genuine Proxifier software while simultaneously deploying the ClipBanker Trojan in the background.
Researchers at Securelist identified this campaign in early 2026, with analyst Oleg Kupreev noting its active presence since the beginning of 2025. The researchers characterized the infection process as unusually intricate, featuring multiple layered stages specifically engineered to maintain the malware’s stealth throughout its operation. Since early 2025, more than 2,000 users utilizing Kaspersky security solutions have encountered this threat, with the majority of affected individuals located in India and Vietnam.
ClipBanker: The Crypto-Stealing Mechanism
ClipBanker functions as a clipboard-hijacking Trojan, specifically engineered to target cryptocurrency transactions. When a victim copies a cryptocurrency wallet address—for instance, to send funds—the malware surreptitiously intercepts and replaces the legitimate address with an address controlled by the attackers. This sophisticated threat is capable of operating across more than 26 blockchain networks, including prominent ones like Bitcoin, Ethereum, Solana, Monero, Dogecoin, TRON, Ripple, and Litecoin, thereby granting the attackers extensive reach across diverse crypto ecosystems.
The efficacy of this campaign stems from its highly convincing presentation. The threat actors have actively manipulated search engine results to ensure their malicious GitHub repository ranks prominently, increasing the likelihood of users encountering it. A user downloading what appears to be a legitimate, free software utility would have no immediate cause for suspicion, until their cryptocurrency assets vanish without a trace.
Inside the Infection Chain: How ClipBanker Evades Detection
Upon execution of the trojanized installer, the malware initiates its multi-stage infection process. Initially, it creates a small stub file, approximately 1.5 KB in size, within the system’s temporary directory. This file is named to impersonate a legitimate Proxifier process. Subsequently, a .NET application, named api_updater.exe, is injected into this stub. Its primary function is to discreetly establish Microsoft Defender exclusions for temporary files (TMP files) and the current working directory. This critical step ensures that subsequent stages of the infection proceed unimpeded by security alerts.
While the authentic Proxifier installer proceeds in the foreground, providing a semblance of normal operation to the unsuspecting victim, the Trojan continues its malicious activities in the background. It injects another module, proxifierupdater.exe, which then further injects malicious code into conhost.exe, a trusted Windows system utility. Through this intricate process, an obfuscated PowerShell script is executed directly in memory, leaving no discernible trace on the hard drive. This fileless execution technique significantly complicates detection and timely removal of the malware.
The PowerShell script performs several crucial functions: it adds PowerShell and conhost.exe processes to Defender’s exclusion list, stores an encoded script within a registry key at HKLMSOFTWARESystem::Config, and registers a scheduled task named “Maintenance Settings Control Panel.” This scheduled task is configured to activate upon each user login. It retrieves and decodes the stored script, which then fetches the next payload from Pastebin-type services. Following a final download from GitHub, the shellcode is injected into fontdrvhost.exe, at which point ClipBanker commences its stealthy monitoring of the clipboard for cryptocurrency wallet addresses to replace.
What You Should Do
- Download Software from Official Sources Only: Always obtain software directly from the vendor’s official website or trusted application stores. Avoid third-party repositories or unofficial download sites, especially for popular tools.
- Verify Download Integrity: If available, verify checksums or digital signatures of downloaded files against the official vendor’s published values.
- Use Robust Endpoint Security: Ensure a reliable, up-to-date antivirus or endpoint detection and response (EDR) solution is installed and actively scanning your system. Regularly update its definitions.
- Practice Clipboard Verification: When transferring cryptocurrency, always double-check the recipient’s wallet address immediately before confirming the transaction, even if you copied it. Manually compare the first and last few characters of the address.
- Be Skeptical of Free Software: Exercise extreme caution with “free” versions of commercial software offered outside of official channels, as these are common vectors for malware distribution.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.