{
	"id": "1dea7ae6-8f41-48ef-a6c5-dd98330cb42a",
	"created_at": "2026-04-06T01:31:57.818765Z",
	"updated_at": "2026-04-10T13:11:24.389604Z",
	"deleted_at": null,
	"sha1_hash": "f8324c528db83edf68f04e1a408ae9efb9dfb8ab",
	"title": "CryptoClip Hijacker",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 201014,
	"plain_text": "CryptoClip Hijacker\r\nPublished: 2022-04-08 · Archived: 2026-04-06 01:17:02 UTC\r\nStealing crypto-currency is not new to threat actors. Thinner profit margins from mining makes stealing the coins\r\nfrom wallets more lucrative. One of the common techniques is to scrape the clipboard for wallet addresses and\r\nreplace them with that of the attacker’s own address. The victim is left with no knowledge of the theft happening.\r\nIn this blog, we will be looking at one such CryptoClip hijacker malware, that was generally seen to be spammed\r\nout via Discord. Discord is one of the ways to stay in touch with people of a common interest. Hence spamming\r\nout CryptoClip hijacker malware to Discord servers that discuss crypto trading, mining would mean the malware\r\nreaches people who are actively dealing with crypto currency.\r\nAn unsuspecting user could download and execute these binaries. This malware could be spammed out via the\r\ntraditional e-mail attachment technique too. We found one such malware that had the filename\r\nCryptoClipWatcher.exe, probably trying to pose as the safe CryptoClipWatcher tool.\r\nBinary Overview\r\nThis binary is .NET compiled\r\nhttps://labs.k7computing.com/index.php/cryptoclip-hijacker/\r\nPage 1 of 6\n\nFigure 1: Version info of the malware\r\nThis file’s version information and the internal name was spoofed to be like svchost.exe.  Legitimate svchost.exe\r\nfile would be Microsoft Visual C++ 8 compiled, and not .NET as observed in Figure 1. The file is also signed with\r\na fake digital certificate as shown Figure 3.\r\nFigure 2: Digital Certificate information\r\nThe malware uses a simple decryption logic for all its encrypted data. First the encrypted string  and a key (\r\n‘UUdkUzZTQkFtMXlKTkE3Zw==’)  is decoded in base64 format. Then the decoded string is XORed with the\r\nhttps://labs.k7computing.com/index.php/cryptoclip-hijacker/\r\nPage 2 of 6\n\ndecoded key.  Figure 3 depicts this decryption process.\r\nFigure 3: Code to decrypt/decode\r\nEven the file’s original filename was seen as base64 encoded and XOR encrypted. The decoded value was\r\nEjUdI0I8AS0EQS4rOiJfAiM=: crypto clip watcher.  which as mentioned earlier is the name of a legitimate\r\ncrypto tool.\r\nFigure 4: Original file name\r\nPersistence technique used in this binary file\r\nOn statically analyzing the decompiled IL binary we found the reference to a persistence entry in\r\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup where the malware self copies and executes\r\nitself under the guise of svchost32.exe. Adds the same filepath to the run entry as well, under the subkey “Host\r\nProcess for Windows Services” as shown in Figure 5.\r\nFigure 5: Persistence entry in registry\r\nUses one another standard technique of adding scheduled tasks using cmd.exe.\r\nhttps://labs.k7computing.com/index.php/cryptoclip-hijacker/\r\nPage 3 of 6\n\nFigure 6: Process tree of the malware\r\nThe self-copied file svchost32.exe is scheduled to be executed every minute by creating a job file as shown in\r\nFigure 7.\r\nFigure 7: The previous command line as seen statically in the decompiled binary\r\nMalware Mechanism\r\nThis file has 38 crypto wallet addresses of the attacker, few of the shown in Figure 8. This addresses are also\r\nencoded with base64 and XORed with the key.\r\nhttps://labs.k7computing.com/index.php/cryptoclip-hijacker/\r\nPage 4 of 6\n\nFigure 8: List of crypto currency that are targeted by the malware\r\nSome of the transactions to this wallet are shown below in Figure 9.\r\nFigure 9: Encoded wallet address in decompiled code and decoded address.\r\nA regex pattern(“\\b(79|380)[0-9]{9}\\b”) is used by this malware to scrape for crypto wallet addresses. Once that is\r\ndone the malware validates to which currency the scraped wallet is relevant to, using the currency wallet specific\r\nregex. These regexes are also encoded as shown in Figure 10.\r\nFigure 10: Currency specific regex encoded/decoded\r\nThe user wallet address in the clipboard is replaced with the malware author’s wallet address. The code snippet to\r\nfind and  replace the clipboard content is shown in Figure 11.\r\nFigure11: Get/Set text from clipboard\r\nWe checked one of the attacker’s crypto wallet addresses and found a couple of transactions being made to it, \r\nwhich roughly translates to about 100$.\r\nTransactions\r\nhttps://labs.k7computing.com/index.php/cryptoclip-hijacker/\r\nPage 5 of 6\n\nFigure 12:  Transaction showing transfer of the crypto to the attackers’ wallet address\r\nIt is always advisable to download tools or applications from reputable sources and exercise caution while using\r\nany such binaries. It is also always advisable to use a security software like K7 Total Security.\r\nIndicators Of Compromise (IOCs) and Detections\r\nHash                                      3488617002B1652F487D5AD410CB92AF\r\nDetection Name                   Trojan(00545fd01)\r\nOriginal File Name              crypto clip watcher.exe\r\nMutex                                   2c092895c2e64adb\r\nBehavior                              suspicious program (ID 700018)\r\nSource: https://labs.k7computing.com/index.php/cryptoclip-hijacker/\r\nhttps://labs.k7computing.com/index.php/cryptoclip-hijacker/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.k7computing.com/index.php/cryptoclip-hijacker/"
	],
	"report_names": [
		"cryptoclip-hijacker"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439117,
	"ts_updated_at": 1775826684,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f8324c528db83edf68f04e1a408ae9efb9dfb8ab.pdf",
		"text": "https://archive.orkl.eu/f8324c528db83edf68f04e1a408ae9efb9dfb8ab.txt",
		"img": "https://archive.orkl.eu/f8324c528db83edf68f04e1a408ae9efb9dfb8ab.jpg"
	}
}