ClipXDaemon is a Linux cryptocurrency clipboard hijacker targeting X11-based desktop environments. Identified by Cyble Research & Intelligence Labs in early February 2026, it monitors clipboard contents approximately every 200 milliseconds and replaces copied cryptocurrency wallet addresses with attacker-controlled addresses, enabling theft when victims paste the substituted address into transactions. The malware is autonomous and C2-less: analysis reported no beaconing, remote tasking, DNS queries, HTTP requests, socket connections, embedded domains, or IP addresses.
The malware is delivered through a three-stage infection chain using a bincrypter-based loader similar in structure to one previously seen with ShadowHS, although the reporting states there is no evidence of shared authorship and attributes the overlap to reuse of the public open-source bincrypter framework. The initial loader base64-decodes an embedded blob, derives AES-256-CBC decryption parameters, decompresses the result with gzip, and executes the next stage from memory via /proc/self/fd. An intermediate dropper then writes a base64-decoded 64-bit ELF payload to ~/.local/bin/ under a randomized filename, marks it executable, launches it in the background, and appends an execution line to ~/.profile for persistence.
The final payload is a 64-bit Linux ELF dynamically linked against X11 libraries. It checks for the WAYLAND_DISPLAY environment variable and exits if Wayland is present, operating only in X11 sessions. It daemonizes via double-fork, detaches from the terminal, and masquerades as a kernel worker process such as kworker/0:2-events using prctl(PR_SET_NAME) and argv manipulation. It connects to the X server, creates a hidden 1x1 window, retrieves clipboard data using X11 selection APIs, and when clipboard text matches targeted wallet regex patterns, it claims clipboard ownership and serves attacker-controlled replacement addresses during paste operations.
Reported targeted wallet formats include Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON. Observed replacement wallet addresses were reported for Ethereum (0x502010513bf2d2B908A3C33DE5B65314831646e7), Monero (424bEKfpB6C9LkdfNmg61pMEnAitjde8YWFsCP1JXRYhfu4Tp5EdbUBjCYf9kRBYGzWoZqRYMhWfGAm1N5h6wSPg8bSrbB9), Bitcoin (bc1qe8g2rgac5rssdf5jxcyytrs769359ltle3ekle), Dogecoin (DTkSZNdtYDGndq1kRv5Z2SuTxJZ2Ddacjk), Litecoin (ltc1q7d2d39ur47rz7mca4ajzam2ep74ccdwvqre6ej), and Tron (TBupDdRjUscZhsDWjSvuwdevnj8eBrE1ht); TON and Ripple formats were monitored but no replacement addresses were observed. The binary encrypts wallet regex patterns and replacement addresses using ChaCha20 with a static embedded 256-bit key and counter.
Published SHA-256 IOCs include 87ab42a2a58479cf17e5ce1b2a2e8f915d539899993848e5db679c218f0e7287 (loader), 23099eea9c4f85ff62a4f43634d431bbed0bf6b039a3f228b1c047f1c2f0cd11 (dropper), and b6bb28160532400eafad532842e4ba9add6d6bbba4f7e7c85e3dbb650369eb00 (ClipXDaemon ELF).
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
13 distinct techniques documented for this family, organized by ATT&CK tactic.
ClipXDaemon operates locally without network communication... and persists by modifying the user’s ~/.profile file.
ClipXDaemon operates locally without network communication... and persists by modifying the user’s ~/.profile file.
"executes the intermediate dropper directly through a /proc/self/fd file descriptor — never writing the decrypted stage to disk"
The loader uses AES-256-CBC encryption and gzip compression to conceal payload contents. The ELF configuration is further encrypted with ChaCha20.
The payload renames itself using prctl(PR_SET_NAME) to mimic kernel worker threads.
"executes the intermediate dropper directly through a /proc/self/fd file descriptor — never writing the decrypted stage to disk"
"checks whether the Wayland display server is present and exits immediately if detected"
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Linux-based cryptocurrency clipper malware that hijacks copied wallet addresses, replacing them with attacker-controlled addresses to steal cryptocurrency. It operates locally without network communication, disguises itself as a kernel process, and persists by modifying the user’s ~/.profile file.
Linux X11 clipboard hijacker (clipper) that monitors clipboard contents at high frequency and replaces detected cryptocurrency wallet addresses (e.g., Monero, Ethereum, Bitcoin, Litecoin, Dogecoin, Tron) with attacker-controlled addresses; uses persistence without root/systemd and double-fork daemonization; operates without C2 for direct monetization.
Linux clipboard hijacker that intercepts copy/paste operations and replaces cryptocurrency wallet addresses with attacker-controlled addresses.
Linux ELF clipboard-hijacking malware targeting X11 desktops. It polls the clipboard at high frequency and, when it detects cryptocurrency wallet address formats, replaces the clipboard contents with attacker-controlled wallet addresses to redirect funds. It is designed to be offline (no C2/network beacons), uses encrypted wallet regex/replacement data (ChaCha20), employs multi-stage loader/dropper execution (including /proc/self/fd execution), and persists via user-level shell profile modification (~/.profile). It exits if Wayland is detected.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.