“`html
An alarming malware campaign has covertly aimed at cryptocurrency enthusiasts by embedding itself within a counterfeit version of Proxifier, a widely-used proxy application.
Malicious actors have created a GitHub repository that appears to be an authentic Proxifier download, yet the bundled installer is, in fact, a Trojan designed to observe and commandeer clipboard actions for stealing cryptocurrency wallet assets.
The intrusion starts in a rather typical manner. A user types “Proxifier” into a popular search engine, and one of the top results leads straight to the malicious GitHub repository.
The project webpage appears legitimate — it even showcases source code for a fundamental proxy service. In the Releases section, users discover a downloadable ZIP file that contains an executable and a document with software activation keys, giving the entire package an air of credibility.
Unbeknownst to the user, the executable is a harmful wrapper encasing the authentic Proxifier installer.
.webp)
Securelist analysts uncovered this operation in early 2026, with analyst Oleg Kupreev stating that it had been ongoing since the start of 2025.
The researchers characterized the infection process as particularly lengthy,
“““html
with numerous layered phases intended to maintain the malware’s concealment throughout the procedure.
Since the beginning of 2025, over 2,000 users of Kaspersky security products have faced this risk, with a significant number of victims found in India and Vietnam.
ClipBanker is a clipboard-stealing Trojan specifically crafted to target cryptocurrency enthusiasts. Whenever a victim copies a wallet address — to transfer funds to someone, for example — the malware unobtrusively replaces it with an address controlled by the attackers.
The threat spans over 26 blockchain platforms, such as Bitcoin, Ethereum, Solana, Monero, Dogecoin, TRON, Ripple, Litecoin, among others, providing the attackers extensive coverage across various crypto environments.
The effectiveness of this operation lies in how convincingly it is presented. The attackers have been actively promoting their nefarious GitHub repository within search engine rankings, ensuring that more users come across it.
A user downloading what seems to be free, legitimate software would have no clear reason to doubt anything — until their cryptocurrency mysteriously vanishes.
Inside the Infection Chain: How ClipBanker Evades Detection
As soon as the user executes the trojanized installer, the malware springs into action immediately. Its initial step is to generate a small stub file — approximately 1.5 KB — in the system’s temporary folder, adopting a name that imitates an authentic Proxifier process.
A .NET application known as api_updater.exe is then inserted into this stub to silently add Microsoft Defender exceptions for TMP files and the current directory. This phase ensures that the subsequent stages of the infection proceed without triggering any security notifications.
While the genuine Proxifier installer runs in the foreground to keep the victim relaxed and unaware, the Trojan discreetly persists in the background.
It injects another component — proxifierupdater.exe — which subsequently embeds malicious code into conhost.exe, a trusted Windows utility.
Through this sequence, an encrypted PowerShell script executes directly in memory, without leaving any discernible trace on the hard drive. This fileless method complicates the malware’s detection and eradication.
The PowerShell script performs several essential functions: it adds PowerShell and conhost processes to Defender’s exclusion list, encodes a script within a registry key at HKLMSOFTWARESystem::Config, and sets up a scheduled task called “Maintenance Settings Control Panel” that triggers each time the user logs in.
This task retrieves the stored script, decodes it, and extracts the next payload from Pastebin-like services.
After one last download from GitHub, the shellcode is injected into fontdrvhost.exe, at which point ClipBanker starts silently monitoring the clipboard for any cryptocurrency wallet address to substitute.
To remain secure, users ought to acquire software solely from official and verified channels. Employing a trustworthy, up-to-date security solution is highly advised, as it can prevent infections before they inflict serious harm.
If a paid security tool is unavailable, every download source must be meticulously verified before any file is executed.
“`