Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments

A threat actor has been observed using paid posts on legitimate news websites to promote warez, according to findings from Check Point Research. This campaign, dubbed "Crypto Clipper," employs a dedicated WordPress phishing page as its central hub. The actor also utilizes GitHub and SourceForge projects, promoted by fake accounts, a YouTube channel, and comments on VirusTotal, to spread their malicious software. The warez are disguised as legitimate software, such as "free" versions of popular applications like Adobe Photoshop and Microsoft Office, and are distributed through torrent sites. Upon installation, the malware replaces cryptocurrency wallet addresses copied to the clipboard with those belonging to the attacker, aiming to steal digital assets. The campaign has been active since at least November 2023, with initial campaigns targeting users in the United States and Europe. The threat actor has also been observed using AI-generated narration for promotional videos and employing fake reviews to boost the credibility of their warez. Check Point Research identified over 100 unique domains associated with this campaign, with approximately 40% of them being newly registered in the past six months. The campaign's sophistication lies in its multi-pronged approach, combining social engineering tactics with technical exploitation.