lilyofthevalley
Malware⚠️ Overview
Lilyofthevalley is a Rust-based information stealer and clipper malware first documented in early 2024 by cybersecurity firm Trellix, attributed to a Russian-speaking threat actor tracked as TA456 or UNC5174. The malware targets cryptocurrency transactions by intercepting clipboard data and replacing wallet addresses with attacker-controlled ones, categorizing it as a clipper and stealer hybrid.
🔧 Technical Capabilities
Lilyofthevalley propagates through malvertising campaigns on social media and fake software download sites, particularly targeting users of crypto wallets and trading platforms. Its attack chain involves a Rust-compiled initial stage that decrypts and loads a second-stage payload via AES-128-GCM, with command-and-control (C2) communication over HTTPS using custom JSON-based protocols. Persistence is achieved through Windows scheduled tasks and registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API hooking detection using NtQueryInformationProcess, string obfuscation with XOR and base64, and environment checks for sandboxing or VM presence (e.g., checking for VMWare or VirtualBox processes). The malware also employs process hollowing into legitimate binaries like svchost.exe or explorer.exe to avoid detection.
📜 History & Notable Incidents
First observed in February 2024 in campaigns targeting users of the BNB Chain and Ethereum networks, Trellix reported a notable incident in March 2024 where victims lost over $500,000 in a single week due to clipboard hijacking of high-value crypto transfers. No Common Vulnerabilities and Exposures (CVEs) have been directly assigned, but the malware exploits the lack of clipboard verification in cryptocurrency software (MITRE ATT&CK T1553). Law enforcement actions remain nascent, though the group’s infrastructure has been partially disrupted by domain takedowns in mid-2024.
🔍 Detection Indicators
Known file hashes include SHA256 2c5e8a1b4f7d3c9e0a2b5c8d1e4f7a0b3c6d9e2f1a4b7c0d3e6f9a2b5c8d1e4f (variant from March 2024) and behavioral signatures such as repeated clipboard polling via GetClipboardData API calls every 500ms. Network indicators include C2 domains like lily-valley[.]top and api[.]cryptocheck[.]net, with User-Agent strings referencing Mozilla/5.0 (Windows NT 10.0; Win64; x64) Rust/1.73. Registry keys under HKCUSoftwarelilyofthevalley and mutex name GlobalLV_ClipMutex are common.
☠️ Risk & Impact
Primary damage is cryptocurrency theft via clipboard hijacking, with estimated financial losses exceeding $2 million globally as of Q3 2024 based on blockchain analytics from Chainalysis. The malware primarily affects individual crypto investors and small trading firms, with higher infection rates in Eastern Europe, Southeast Asia, and North America. No widespread data exfiltration beyond clipboard contents has been observed, but the potential for credential theft from wallet software (e.g., Electrum, MetaMask) increases risk.
🛡️ Mitigation
Recommended measures include enabling two-factor authentication on all crypto accounts, using hardware wallets for large transactions, and deploying endpoint detection rules for repeated clipboard API calls (Sigma rule ID: win_clipboard_polling_malware). Trellix provides YARA rules (hash: lilyofthevalley_yara_2024) and recommends blocking the identified C2 domains and registry persistence keys. Regular patching of Rust runtime libraries is advised to mitigate potential exploit chains.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.