- Check Point Research uncovers PR‑style campaign distributing a Rust clipboard hijacker disguised as legitimate software
- Attackers used phishing sites, GitHub/SourceForge projects, fake YouTube channels, and even newswire press releases to boost credibility
- Malware swaps crypto wallet addresses from clipboard, with “Ghost Networks” manipulating reputation systems to evade detection
Hackers have launched a fully fledged, multi-platform PR campaign to trick people into thinking that the malware they’re distributing is actually legitimate software, experts have warned.
A report from Check Point Research warned that even those doing regular due diligence might get tricked.
At the center of the campaign is a clipboard jacker – a piece of infostealer malware that monitors the victim’s clipboard for cryptocurrency wallet strings. When it detects one, it replaces it with a different one belonging to the attackers. That way, when a victim tries to send money from one wallet to another, they end up paying the attackers instead. Both Windows and macOS users are at risk.
Abusing newswire sites
“The threat actor uses multiple channels to promote and distribute a Rust clipboard hijacker, starting with a dedicated phishing page as the central hub and extending to GitHub and SourceForge projects promoted by fake accounts,” the company said.
“A dedicated YouTube channel, using AI‑generated narrators, suspicious view spikes, and highly positive (likely coordinated) comments, further reinforces the illusion of popularity and trustworthiness.”
To distribute the malware, the attackers ran a rather aggressive PR campaign: they set up a dedicated phishing page, multiple GitHub and SourceForge projects and accounts, as well as a fake YouTube channel. But the most surprising part is distributing news articles through newswire sites.
Newswire sites are services that distribute company press releases and…
