'This creates a misleading impression of safety'

Check Point Research uncovers PR‑style campaign distributing a Rust clipboard hijacker disguised as legitimate software

Attackers used phishing sites, GitHub/SourceForge projects, fake YouTube channels, and even newswire press releases to boost credibility

Malware swaps crypto wallet addresses from clipboard, with “Ghost Networks” manipulating reputation systems to evade detection

Hackers have launched a fully fledged, multi-platform PR campaign to trick people into thinking that the malware they’re distributing is actually legitimate software, experts have warned.

A report from Check Point Research warned that even those doing regular due diligence might get tricked.

At the center of the campaign is a clipboard jacker - a piece of infostealer malware that monitors the victim’s clipboard for cryptocurrency wallet strings. When it detects one, it replaces it with a different one belonging to the attackers. That way, when a victim tries to send money from one wallet to another, they end up paying the attackers instead. Both Windows and macOS users are at risk.

Abusing newswire sites

“The threat actor uses multiple channels to promote and distribute a Rust clipboard hijacker, starting with a dedicated phishing page as the central hub and extending to GitHub and SourceForge projects promoted by fake accounts,” the company said.

“A dedicated YouTube channel, using AI‑generated narrators, suspicious view spikes, and highly positive (likely coordinated) comments, further reinforces the illusion of popularity and trustworthiness.”

To distribute the malware, the attackers ran a rather aggressive PR campaign: they set up a dedicated phishing page, multiple GitHub and SourceForge projects and accounts, as well as a fake YouTube channel. But the most surprising part is distributing news articles through newswire sites.

Newswire sites are services that distribute company press releases and announcements to media outlets, journalists, websites, and investors. Most newswire services allow anyone to submit and distribute press releases, usually for a fee, but they are generally seen as a legitimate source of trustworthy news.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

At the same time, the hackers went the extra mile to make sure the clipboard jacker isn’t flagged as malware. By using numerous fake accounts (so called “Ghost Networks”) they’re manipulating reputation-driven systems like VirusTotal, tricking researchers and potential users into thinking the programs are a false positive.

“Even if this campaign is not primarily aimed at large enterprises, it shows that attackers no longer rely only on classic malware distribution techniques to reach victims,” the researchers concluded. “Instead, they can manipulate reputation systems, crowd‑sourced feedback, and cross‑platform promotion to lower suspicion and attract more users.”

Via The Hacker News

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.