MalwareUsed by 1 actor

Pro.exe

Pro.exe is a Python-based clipboard hijacking trojan (clipper), also referenced as "peeek.exe," used in a campaign reported by CloudSEK and attributed to a threat actor tracked as RedLineCyber. The actor reportedly impersonates an affiliate of "RedLine Solutions" to build credibility and distributes the malware through prolonged social engineering in private Discord communities associated with gaming, gambling, and streaming. Victims, including cryptocurrency streamers and influencers, are persuaded to install the executable as a purported security tool or streaming utility. Once executed on Windows systems, the malware continuously monitors the clipboard for cryptocurrency wallet addresses and replaces copied addresses in real time with attacker-controlled wallet addresses, enabling theft when the victim pastes the substituted address and confirms a transaction. Reported targeted cryptocurrencies include Bitcoin, Ethereum, Solana, Dogecoin, Litecoin, and Tron. The malware is described as operating almost entirely offline, with no reported command-and-control communication or data exfiltration, which reduces opportunities for network-based detection. Known filenames/aliases mentioned in the reporting are Pro.exe and peeek.exe.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

RedLineCyber

“…to distribute an executable called ‘Pro.exe’ (or ‘peeek.exe’). It’s a Python-based clipboard hijacking trojan…”

via the hacker newsthehackernews.com

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

the hacker newsNews

Jan 19, 2026

⚡ Weekly Recap: Fortinet Exploits, RedLine Clipjack, NTLM Crack, Copilot Attack & More

Python-based clipboard hijacking malware used for cryptocurrency theft by monitoring the Windows clipboard for wallet addresses and substituting attacker-controlled addresses; distributed via social engineering in Discord communities.

security online infoNews

Jan 19, 2026

The Fake "RedLine": Imposter Malware Hijacks Crypto Wallets on Discord

Python-based clipboard hijacker that monitors the Windows clipboard for cryptocurrency wallet addresses and substitutes them in real time with attacker-controlled addresses to drain wallets; designed to be low-noise and largely offline (no C2).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.