Crypto Clipper Campaign Uses Fake Reviews and AI Narrators to Spread Malware

Check Point Research has uncovered a sophisticated crypto clipper campaign that weaponizes trust in legitimate platforms. The threat actor behind the operation is using paid or promoted posts on reputable news websites to generate buzz for malicious warez. This marks a shift from traditional phishing into a multi-platform infiltration strategy.

The campaign's operational hub is a dedicated WordPress phishing page. From there, the attacker coordinates GitHub and SourceForge projects, both heavily promoted by a network of fake accounts. A YouTube channel featuring AI-generated narrators adds another layer of authenticity, luring victims into downloading the crypto clipper. The malware itself is designed to hijack cryptocurrency transactions by replacing wallet addresses in the clipboard.

When a user copies a cryptocurrency wallet address, the clipper malware detects it and swaps it with an attacker-controlled address. The victim unknowingly sends funds to the adversary. Check Point's analysis indicates the campaign is actively distributing the malware through fake software cracks, keygens, and game cheats, often hosted on the promoted GitHub and SourceForge repositories.

The attacker is also abusing VirusTotal by uploading benign software samples to create a false positive baseline, making their malicious payloads appear legitimate when scanned. This technique undermines trust in automated threat intelligence tools. No specific CVEs have been assigned, as the attack relies on social engineering rather than a software vulnerability.

Check Point has not publicly attributed the campaign to a specific group or nation-state. The abuse of AI-generated content alongside fake reviews marks an evolution in social engineering, exploiting both platform trust and emerging technologies. Users are advised to verify any downloaded software against official vendor sources and to enable clipboard security features in wallet applications.