A Threat Built on Fabricated Trust
Most malware campaigns try to hide. This one does the opposite, it works hard to look loved.
Check Point Research analyzed a cryptocurrency clipboard hijacker (a “clipper”) hidden inside a collection of “tools” that promise users an unfair edge: Solana and Pump.fun sniper bots, an “Aviator Predictor,” and various crash-game predictors. The targets are crypto holders and online gamblers already hunting for shortcuts and quick, automated profits.
What makes the campaign notable isn’t the malware — clippers are old news. It’s that the attacker behaves less like a hacker than a marketer. To push a malicious “tool,” a single threat actor borrowed the same playbook legitimate brands use to build buzz: inflated download counts, coordinated five-star reviews, influencer-style tutorial videos, and promotion on platforms people instinctively trust. The result is a fake reputation economy spanning every platform a curious victim might check before they click “download.”
Manufacturing Popularity: Ghost Networks Everywhere
The illusion runs on Ghost Networks: clusters of fake or low-quality accounts that exist to inflate the signals people instinctively trust.
On GitHub, at least six linked accounts cross-promote one another’s repositories, racking up stars, forks, and downloads from controlled accounts. This follows the same pattern Check Point Research documented on GitHub Ghost Networks. One repository alone displayed 146 stars and 62 forks. On SourceForge, the download counter reached 44,485, with a suspicious 37,460 supposedly originating from Android devices, despite the developer only offering Windows and macOS versions. A plausible explanation is the use of an Android farm to artificially inflate the download count on SourceForge.
On YouTube, the same playbook plays out with YouTube Ghost Networks driving unnatural spikes in views and a comment section full of glowing, coordinated praise. The videos are styled as authentic personal walkthroughs, complete with a synthetic, AI-generated narrator guiding the viewer step by step.
The New Frontier: Poisoning Reputation Systems
The most consequential evolution in this campaign isn’t aimed at people at all. It’s aimed at the tools that defend them.
Check Point Research observed accounts casting benign votes and posting “safe” comments on the campaign’s samples on VirusTotal, a platform that aggregates detections from dozens of security engines and feeds the reputation models many organizations rely on. The positive engagement doesn’t cause the low detection rates, but the combination is the point: a malicious file with few detections and a chorus of “looks clean” feedback creates a powerful, false impression of safety that can sway both end users and automated, reputation-based decisions.
In other words, attackers are no longer just trying to evade detection. They’re trying to manipulate the global trust signals that detection increasingly depends on.
The campaign rounds this out with posts on long-standing crypto communities like BitcoinTalk, meeting the target audience exactly where they already gather.
The Payload: A Cross-Platform Clipboard Hijacker
Behind all the social proof, the actual malware is straightforward. Both the Windows and macOS payloads are Rust-based clippers. Once running, they quietly install persistence and monitor the clipboard for anything resembling a cryptocurrency wallet address: Bitcoin, Ethereum, Litecoin, Tron, XRP, Cardano, and more. When a match appears, the malware silently swaps it for an attacker-controlled address pulled from a large embedded list.
Why This Matters
This campaign may not be aimed at large enterprises, but the technique it showcases is the part worth watching. Manipulating sentiment and reputation across crowd-sourced platforms marks a meaningful shift in how attackers build trust. The same playbook of fake reputation and aggressive cross-platform promotion can easily distribute information stealers or ransomware to higher-value targets over time.
What Defenders and Users Should Do
- Don’t trust engagement metrics as a proxy for safety. Stars, forks, download counts, view spikes, and “safe” comments can all be bought or faked. Popularity is not a security signal
- Be deeply skeptical of “edge” tools. Sniper bots, game predictors, and anything promising guaranteed crypto gains are classic bait
- Treat reputation scores as one input, not a verdict. A low detection rate paired with positive community sentiment can be manufactured. Combine reputation data with behavioral detection and your own telemetry.
- For macOS users: never run an “unlocker” or instructions that tell you to bypass Gatekeeper warnings. That step is the attack.
Check Point’s Workspace Security provides protection against the clipboard hijacker variants identified in this research.
For the full technical breakdown read the complete Check Point Research report.
