Cybercriminals are targeting crypto users with malware disguised as Microsoft Office add-ins, using trusted platforms like SourceForge to distribute malicious files. According to an April 8 report by cybersecurity firm Kaspersky, the malware, known as ClipBanker, secretly replaces copied crypto wallet addresses with the attacker’s address.
The fake listing, called “officepackage,” appears legitimate by including real Office extension files and polished UI elements, making it difficult for users to spot the scam.
How the ClipBanker Malware Works
ClipBanker is designed to take advantage of a common behavior among crypto users—copying and pasting wallet addresses. When a victim copies their crypto address, the malware silently swaps it with the attacker’s, diverting funds during transactions.
In addition to address swapping, the malware:
- Sends sensitive system information (IP address, location, usernames) to attackers via Telegram
- Scans for previous infections or antivirus tools and deletes itself if detected
- Uses unusually small files or padded junk files to mask its presence and appear like a genuine Office installer
Kaspersky said the malware campaign was primarily observed on SourceForge, a widely used open-source software repository. The infected software mimics a legitimate developer tool, often appearing in search results.
Attackers Could Sell Access to Infected Systems
Kaspersky warns that ClipBanker does more than just steal crypto. It may also:
- Install crypto miners to exploit the victim’s device resources
- Open backdoors that can be sold to other threat actors, expanding the risk beyond financial theft
“Our telemetry indicates that 90% of potential victims are in Russia, where 4,604 users encountered the scheme between early January and late March,” Kaspersky said. The malware interface is in Russian, suggesting the campaign may target Russian-speaking users.
Protecting Yourself from Crypto Malware
To reduce the risk of infection:
- Only download software from official and trusted sources
- Avoid pirated or unofficial Office add-ins and extensions
- Use up-to-date antivirus tools and scan your system regularly
Kaspersky emphasized that attackers are constantly refining their methods to trick users into downloading malware, especially those seeking software outside authorized platforms.
Meanwhile, other cybersecurity firms are also raising the alarm. Threat Fabric recently reported a new malware strain that overlays fake login screens on Android devices, tricking users into handing over crypto seed phrases.
