top of page
OutSystems-business-transformation-with-gen-ai-ad-300x600.jpg
OutSystems-business-transformation-with-gen-ai-ad-728x90.jpg
TechNewsHub_Strip_v1.jpg

LATEST NEWS

New crypto-stealing malware targets users downloading cracked software

Marijan Hassan - Tech Journalist

Security researchers are warning about a new clipper malware called MassJacker, which is being distributed through websites offering pirated software. According to CyberArk, the malware campaign specifically targets users searching for cracked applications, tricking them into downloading malicious files that can steal cryptocurrency from their digital wallets.



How MassJacker works

MassJacker is a type of cryware, a term coined by Microsoft to describe malware that monitors a victim’s clipboard to steal cryptocurrency. When a user copies a wallet address to make a transaction, MassJacker replaces it with an attacker-controlled address, effectively rerouting funds to cybercriminals.


The infection begins with a website called pesktop[.]com, which presents itself as a platform for downloading pirated software but actually delivers malware. Once a user downloads and runs the initial file, a PowerShell script executes additional payloads, including:


Amadey botnet malware

Two .NET binaries (one for 32-bit and another for 64-bit systems)

PackerE, which downloads and decrypts a DLL to execute MassJacker


The encrypted DLL is particularly insidious, employing advanced evasion techniques such as Just-In-Time (JIT) hooking, metadata token mapping, and a custom virtual machine to obfuscate its actions. These methods make it significantly harder for security researchers to analyze and detect the malware.


Once active, MassJacker continuously monitors clipboard activity, using regular expressions to detect copied cryptocurrency wallet addresses. If it finds a match, it swaps the copied address with one from its remote-controlled list of fraudulent wallets.


"MassJacker creates an event handler to run whenever the victim copies anything," security researcher Ari Novick wrote in a blog post. "The handler checks the regexes, and if it finds a match, it replaces the copied content with a wallet belonging to the threat actor from the downloaded list."


Massive crypto heist in progress

CyberArk researchers have identified over 778,531 unique wallet addresses linked to the attackers. While only 423 of these wallets currently hold funds totaling approximately $95,300, the total amount of stolen digital assets before being transferred is estimated at $336,700.


Additionally, a single wallet tied to the operation was found to contain 600 SOL (Solana), worth about $87,000, with over 350 transactions funnelling funds from various addresses.


Potential links to previous malware

The origin of MassJacker remains unknown, but researchers have identified code similarities with MassLogger, another malware strain known for employing JIT hooking to evade analysis. This connection suggests that the creators of MassJacker may be experienced cybercriminals repurposing existing techniques to target crypto users.


How to protect yourself

To close, here are some of the precautions Ari recommends people take to stay safe:

  • Avoid downloading pirated software from unknown or unverified sources

  • Manually double-check wallet addresses before making transactions

  • Use security tools that can detect clipboard hijacking

  • Keep software updated to prevent vulnerabilities from being exploited

wasabi.png
Gamma_300x600.jpg
paypal.png
bottom of page