{
	"id": "f9f16559-bb16-463a-b16e-90548a26748e",
	"created_at": "2026-04-06T01:29:02.329299Z",
	"updated_at": "2026-04-10T13:12:09.523694Z",
	"deleted_at": null,
	"sha1_hash": "b046add50b47a47f27d1e468184483fe6ce28f1a",
	"title": "Cyble - Clipper Malware disguised as AvD Crypto Stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 974945,
	"plain_text": "Cyble - Clipper Malware disguised as AvD Crypto Stealer\r\nBy cybleinc\r\nPublished: 2022-03-22 · Archived: 2026-04-06 01:14:23 UTC\r\nCyble Research Labs analyzes a Clipper malware variant disguised as an AvD Crypto-stealer, potentially targeting\r\nother Threat Actors.\r\nInformation stealing malware is on the rise. Cyble Research Labs recently discovered a new malware dubbed\r\n“AvD crypto stealer” on a cybercrime forum. Upon further investigation, however, we observed that this does not\r\nfunction as a Crypto Stealer. This is, in fact, a disguised variant of well-known Clipper malware that can read and\r\nedit any text copied by the victim i.e. crypto wallet information.\r\nThe TA is providing one month of free access to entice more individuals to use it. Anyone can become a victim of\r\nthis malware – though the primary target appears to be other TAs.\r\nThe Threat Actor (TA) claims that the stealer supports six cryptocurrency chains, including Ethereum, Binance\r\nSmart Chain, Fantom, Polygon, Avalanche, and Arbitrum.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nThe TA targets victims by changing the crypto addresses present in the clipboard. As for crypto transactions,\r\nindividuals typically copy the crypto addresses, and the malware takes advantage of this by replacing the copied\r\ncrypto wallet address with the one specified by TA.\r\nIf the victim does not validate the copied and the pasted values, then the transaction might end up in the account\r\nspecified by TA. This clipper malware can also identify the crypto addresses present amongst multiple strings,\r\nexpanding this malware’s capabilities.\r\nhttps://blog.cyble.com/2022/03/22/hunters-become-the-hunted/\r\nPage 1 of 8\n\nFigure 1: Post shared on a cybercrime forum\r\nTechnical Analysis\r\nThe execution of malware starts from an installation file, which is Self-Extracting. Self-extracting archives, also\r\nknown as SFX files, are Windows executable files that, upon execution, extract the compressed content. Figure 2\r\nshowcases the installation wizard.\r\nFigure 2: Installation Wizard\r\nThe installation file drops the files shown in Figure 3 and executes the payload named ‘Payload.exe.’ The dropped\r\nfiles also contain manuals for using the builder and the binaries.\r\nhttps://blog.cyble.com/2022/03/22/hunters-become-the-hunted/\r\nPage 2 of 8\n\nFigure 3: Extracted files\r\nThe payload file (SHA256:b6135c446093a19544dbb36018adb7139aa810a3f3eaa45663dc54448fe30e39) is a\r\n.NET based binary. Figure 4 shows the payload details.\r\nFigure 4: File information\r\nFigure 5 shows the process flow for the clipper malware. The malware extracts the data from the clipboard and\r\nthen uses a regular expression to find the crypto addresses. If there’s a match, the malware replaces the address\r\nwith one specified by TA.\r\nhttps://blog.cyble.com/2022/03/22/hunters-become-the-hunted/\r\nPage 3 of 8\n\nFigure 5: Clipper malware process flow\r\nClipper malware has the following class names:\r\nProgram:\r\nThis class contains the main function which executes the clipper functionalities. Upon execution, the main program\r\ncreates a random mutex named “XWj1iK27ngY68XUB” to ensure that only one instance of the malware process\r\nruns at any given time. If it fails to create a mutex, the malware terminates its execution.\r\nhttps://blog.cyble.com/2022/03/22/hunters-become-the-hunted/\r\nPage 4 of 8\n\nFigure 6: Main function\r\nAfter creating the mutex, the malware copies itself into the startup location to establish its persistence and executes\r\nClipboardNotification.NotificationForm() function. Through this, the malware monitors the user’s clipboard\r\nactivity, identifies crypto address, and replaces it with the attacker’s address details. \r\nClipboard Notification:\r\n This class monitors the user’s clipboard activity and notify when the user copies something into the clipboard.\r\nAddresses:\r\nThis class contains the config details, including crypto addresses, mutex name, and the targeted cryptocurrencies,\r\nas shown in Figure 7. The clipper targets Bitcoin (BTC), Ethereum, and Monero (XMR) crypto addresses.\r\nFigure 7: Addresses class\r\nClipboard:\r\nThe class contains two function names, GetText() and SetText().\r\nThese functions get the clipboard text from the user. If there is a crypto wallet in the copied text, these functions\r\nwill then set it to the attacker’s wallet address by replacing the copied user’s wallet address. Clipboard is also\r\nresponsible for sending the data for logging purposes to the URL present in the Addresses class.\r\nhttps://blog.cyble.com/2022/03/22/hunters-become-the-hunted/\r\nPage 5 of 8\n\nFigure 8: Clipboard class\r\nPatternRegex:\r\nThis class contains the regex pattern to identify the crypto addresses copied to the clipboard.\r\nFigure 9: Pattern Regex\r\nOn further investigation into one of the hardcoded crypto addresses in the payload, we found the following\r\ntransaction details, as shown below.\r\nhttps://blog.cyble.com/2022/03/22/hunters-become-the-hunted/\r\nPage 6 of 8\n\nFigure 10: Transaction details\r\nConclusion:\r\nThreat Actors continue to exploit the human element for executing their attacks, as they see it as a vulnerability –\r\nthis malware works on a similar attack vector. However, we can reduce the impact of this malware by being more\r\ncautious while making crypto transactions.\r\nThere are multiple possibilities in which this attack can escalate. In one of the scenarios, the malware creator can\r\ntarget other TA’s who use the builder for customizing the crypto stealer and their victims. This clipper can do\r\nfinancial theft at a great level, so it becomes necessary to take preventive measures.\r\nOur Recommendations: \r\nAvoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as\r\nYouTube, torrent sites, etc., primarily contains such malware. \r\nUse a reputed anti-virus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile. \r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.  \r\nIn the case of businesses, educate employees in terms of protecting themselves from threats like\r\nphishing’s/untrusted URLs. \r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs. \r\nMITRE ATT\u0026CK® Techniques  \r\nTactic  Technique ID  Technique Name \r\nInitial Access  T1566  Phishing \r\nExecution   T1204  User Execution \r\nPersistence T1547 Boot or Logon AutoStart Execution\r\nhttps://blog.cyble.com/2022/03/22/hunters-become-the-hunted/\r\nPage 7 of 8\n\nCollection  T1115 Clipboard Data\r\nExfiltration T1567 Exfiltration Over Web Service\r\nIndicators of Compromise (IoCs):\r\nIndicators\r\nIndicator\r\ntype\r\nDescription\r\n012fca9cf0ac3e9a1c2c1499dfdb4eaf\r\n47480d9b4df34ea1826cd2fafc05230eb195c0c2\r\ndeaad208c6805381b6b6b1960f0ee149a88cdae2579a328502139ffc5814c039\r\nMd5  \r\nSHA-1 \r\nSHA-256 \r\nInstallation\r\nfile\r\nfea27906be670ddbf5a5ef6639374c07\r\n20f7554280e5e6d0709aa1e850f01e816d2674f2\r\nb6135c446093a19544dbb36018adb7139aa810a3f3eaa45663dc54448fe30e39\r\nMd5  \r\nSHA-1 \r\nSHA-256 \r\nPayload\r\nFile\r\nSource: https://blog.cyble.com/2022/03/22/hunters-become-the-hunted/\r\nhttps://blog.cyble.com/2022/03/22/hunters-become-the-hunted/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2022/03/22/hunters-become-the-hunted/"
	],
	"report_names": [
		"hunters-become-the-hunted"
	],
	"threat_actors": [
		{
			"id": "bc289ba8-bc61-474c-8462-a3f7179d97bb",
			"created_at": "2022-10-25T16:07:24.450609Z",
			"updated_at": "2026-04-10T02:00:04.996582Z",
			"deleted_at": null,
			"main_name": "Avalanche",
			"aliases": [],
			"source_name": "ETDA:Avalanche",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775438942,
	"ts_updated_at": 1775826729,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b046add50b47a47f27d1e468184483fe6ce28f1a.pdf",
		"text": "https://archive.orkl.eu/b046add50b47a47f27d1e468184483fe6ce28f1a.txt",
		"img": "https://archive.orkl.eu/b046add50b47a47f27d1e468184483fe6ce28f1a.jpg"
	}
}