{
	"id": "d613c52c-5ad4-4696-b117-501230b674b4",
	"created_at": "2026-04-06T01:30:46.837762Z",
	"updated_at": "2026-04-10T13:11:30.591238Z",
	"deleted_at": null,
	"sha1_hash": "64e9cf52f7ad145382a17107426033586173e2b1",
	"title": "Evrial Trojan Switches Bitcoin Addresses Copied to Windows Clipboard",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1017116,
	"plain_text": "Evrial Trojan Switches Bitcoin Addresses Copied to Windows Clipboard\r\nBy Lawrence Abrams\r\nPublished: 2018-01-21 · Archived: 2026-04-06 00:24:48 UTC\r\nA new information stealing Trojan called Evrial is being sold on criminal forums and being actively distributed in the wild.\r\nLike most infostealing Trojans, Evrial can steal browser cookies and stored credentials, but this Trojan also has the ability to\r\nmonitor the Windows clipboard for certain text, and if detected, modify it to something else.\r\nFirst discovered and tracked by security researchers MalwareHunterTeam and Guido Not CISSP, by monitoring the\r\nWindows clipboard for certain strings, Evrial makes it easy for attackers to hijack cryptocurrency payments and Steam\r\ntrades. This is done by replacing legitimate payment addresses and URLs with addresses under the attacker's control.\r\nEvrial being sold on criminal forums\r\nAccording to MalwareHunterTeam, Evrial is currently being sold on Russian criminal forums for 1,500 Rubles or ~ $27\r\nUSD.  In the advertisement, the seller states that after purchasing the product, an attacker gains access to a web panel that\r\nallows them to build an executable. This web panel also keeps track of what clipboard modifications have taken place and\r\nallows an attacker to configure what replacement strings should be used.\r\nTranslated Post on a Russian Forum\r\nIncluded in the advertisement are some sample screenshots of the web panel as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nWeb Panel Screenshot\r\nEvrial takes control of the Windows clipboard\r\nEvrial's most interesting feature is that it will monitor the Windows clipboard for certain types of strings and replace them\r\nwith ones sent by the attacker. This allows the attacker to reroute a cryptocurrency payment to an address under their\r\ncontrol. While clipboard monitoring is common with programs like this, MalwareHunterTeam has told BleepingComputer\r\nthat modifications are much more rare.\r\nFor example, bitcoin addresses are not the easiest string of text to type into a program or website. Due to this, when\r\nsomeone sends bitcoins to an exchange or wallet, they typically copy the address that the coins should be sent to into the\r\nWindows clipboard and then paste that address into the other app or site that is performing the sending. \r\nWhen Evrial detects a bitcoin address in the clipboard, it replaces that legitimate address with one under the attacker's\r\ncontrol. The victim then pastes that address into their app, thinking its the legitimate one and not realizing its been\r\nreplaced, and clicks send. Now when the bitcoins are sent, they go to the attackers address rather than your intended\r\nrecipient.\r\nEvrial is configured to detects strings that correspond to Bitcoin, Litecoin, Monero, WebMoney, Qiwi addresses and Steam\r\nitems trade urls.\r\nDetecting Strings in the Windows Clipboard\r\nWhen Evrial detects one of the supported strings in the clipboard, it will connect to a remote site, upload the original string,\r\nand then download a string that it should be used as the replacement.\r\nhttps://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/\r\nPage 3 of 6\n\nReplacing String in Clipboard\r\nAs the string has now been replaced in the clipboard, when the victim performs a paste into a program, the attacker's string\r\nwill be used instead.\r\nEvrial steals passwords documents\r\nIn addition to monitoring and modifying the clipboard, Evrial will also steal bitcoin wallets, stored passwords, documents\r\nfrom the victim's desktop, and a screenshot of the active windows.  All of this information will be compiled into a zip file\r\nand uploaded to the attackers web panel as shown below.\r\nEvrial will determine the location of Bitcoin's wallet.dat file from querying a registry key. If the key exists, it will then steal\r\nthat wallet so it can gain access to the victim's bitcoins.\r\nFind Bitcoin wallet.dat Location\r\nEvrial will also attempt to steal credentials stored in browsers. The browsers targeted by Evrial include Chrome, Yandex,\r\nOrbitum, Opera, Amigo, Torch, and Comodo.\r\nSteal Browser Credentials\r\nhttps://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/\r\nPage 4 of 6\n\nEvrial will also attempt to steal credentials stored in Pidgin and Filezilla.\r\nSteal FileZilla Credentials\r\nLast, but not least, Evrial will steal cookies \u0026 documents found on a desktop.\r\nSteal Cookies\r\nAll of this data, plus a screenshot of the active window, will be uploaded to a remote server so it can be accessed by the\r\nattacker.\r\nHow to protect yourself from Evrial\r\nAt this time it not 100% known how Evrial is being distributed, but the best way to protect yourself is to practice good\r\ncomputing habits. Make sure that you have security software installed, that you scan attachments that you receive using a\r\nsite like VirusTotal, and that you practice good and safe computing habits.\r\nA tutorial on how to use your computer safely can be found here: Simple and easy ways to keep your computer safe and\r\nsecure on the Internet\r\nhttps://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/\r\nhttps://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/"
	],
	"report_names": [
		"evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439046,
	"ts_updated_at": 1775826690,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/64e9cf52f7ad145382a17107426033586173e2b1.pdf",
		"text": "https://archive.orkl.eu/64e9cf52f7ad145382a17107426033586173e2b1.txt",
		"img": "https://archive.orkl.eu/64e9cf52f7ad145382a17107426033586173e2b1.jpg"
	}
}