Overview
- Check Point Research published a technical analysis in mid‑June that maps a coordinated operation which promoted malicious crypto tools across GitHub, SourceForge, YouTube and news‑distribution services.
- The payload is a Rust‑based clipboard hijacker for Windows and macOS that watches copied text for crypto wallet addresses and replaces them with attacker addresses drawn from an embedded list of more than 15,500 wallets.
- The macOS build includes an 'unlocker' script that instructs users on removing Apple's quarantine flag to bypass Gatekeeper and runs a 30‑second watchdog that rewrites and clones the binary to persist after removal.
- The actor manufactured social proof with fake GitHub stars and forks, inflated SourceForge download counts, AI‑narrated tutorial videos, and planted 'safe' votes and praise on VirusTotal to lower suspicion and steer victims to a WordPress phishing hub and downloads.
- Security teams and users should treat reputation signals with caution, use the IOCs published by Check Point to hunt related files, and watch for the same trust‑building playbook to be reused to deliver more harmful malware or steal funds from victims.