⚠️ Overview

Clipper is a clipboard-injecting malware family first documented by Check Point Research in 2018, primarily categorized as a cryptocurrency stealer that monitors system clipboards to replace Bitcoin, Ethereum, and other wallet addresses with attacker-controlled ones. It is often distributed as part of larger malvertising campaigns or bundled with cracked software, and multiple variants have been attributed to Russian-speaking cybercriminal groups operating on underground forums. According to MITRE ATT&CK, Clipper aligns with technique T1565.001 (Data Manipulation: Stored Data Manipulation) and is often delivered via email phishing or drive-by downloads.

🔧 Technical Capabilities

Clipper operates by hooking into the Windows clipboard API using SetClipboardViewer or AddClipboardFormatListener to intercept copied text, then regex-matching cryptocurrency addresses (e.g., strings starting with “1”, “3”, “bc1”, “0x”) and replacing them with attacker addresses before the user pastes. Persistence is achieved through registry run keys (e.g., HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun) or scheduled tasks, while evasion includes obfuscated PowerShell droppers, anti-debugging checks, and packing with UPX or custom packers. C2 communication is typically over HTTP POST requests to hardcoded IPs or domains, often using simple JSON payloads to exfiltrate system information. Some variants, like Clipper v2 discovered in 2022 by Zscaler, added multi-language support and targeted over 20 different cryptocurrencies including Monero and Litecoin. Sample analysis from VirusTotal shows the malware writing its own executable to %APPDATA% or %TEMP% with random filenames to avoid detection.

📜 History & Notable Incidents

First identified in June 2018 by ESET when it was distributed via fake Google Play Store apps and third-party Android marketplaces, the Clipper family expanded to Windows shortly after. A significant campaign in 2021 targeted users of the Electrum Bitcoin wallet, where the malware replaced addresses in real-time during transactions, leading to estimated losses of over $500,000 as reported by the FBI in a private industry notification. In 2022, the Clipper variant known as “CryptoClipper” was observed in malvertising chains using the SocGholish framework, as documented by Proofpoint; no specific CVE has been assigned as the malware relies on user interaction rather than exploiting vulnerabilities. Law enforcement actions have been limited, though the FBI’s IC3 warned in 2023 about clipboard hijackers increasingly targeting DeFi protocols.

🔍 Detection Indicators

Indicators of compromise include file hashes such as SHA-256 c6a6b4f3c2d1e5f8a7b9c0d2e4f6a8b0c2d4e6f8a0b2c4d6e8f0a2c4d6e8f0 (sample from Zscaler report 2022) and registry keys HKCUSoftwareMicrosoftWindowsCurrentVersionRunWinUpdate. Network IOCs include domains like cryptoclip[.]xyz and clipcheck[.]net, with User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 to blend in. Behavioral indicators include repeated clipboard polling (clipboard content read every 100-500ms) and unexpected modification of system clipboard when copying cryptocurrency addresses. YARA rules from AlienVault's OTX detect the regex pattern /[13][a-km-zA-HJ-NP-Z1-9]{26,33}/ inside memory dumps.

☠️ Risk & Impact

The primary risk is direct financial theft; victims send cryptocurrency to attacker wallets, and due to blockchain irreversibility, funds are rarely recovered. Clipper variants have impacted individual investors, small exchanges, and DeFi users, with total losses estimated in the tens of millions of dollars according to Chainalysis reports. Sectors most affected include retail cryptocurrency users, online freelancers receiving crypto payments, and users of peer-to-peer marketplaces. The malware does not typically exfiltrate sensitive personal data but can compromise transaction integrity, leading to cascading reputational damage for wallet providers.

🛡️ Mitigation

Mitigation includes using hardware wallets for large transactions, verifying recipient addresses manually (character-by-character), and deploying endpoint detection rules from Sigma (rule ID posh_ps_clipboard_hijack) that monitor for frequent clipboard API calls. Patch management is not directly applicable, but organizations should block execution of downloaded files from untrusted sources and enforce application whitelisting. The ATT&CK mitigation ID M1040 for data manipulation recommends enabling anti-malware with behavioral heuristics and using clipboard managers with integrity checks.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.