Michaela
Malicious actors have embedded malware in fake Microsoft Office extension packages on SourceForge, attempting to steal crypto by swapping a victim’s copied wallet address with that of an attacker.
A cybersecurity report from Kaspersky’s Anti-Malware Research Team has revealed that a listing on SourceForge, titled “officepackage,” contains genuine Microsoft Office add-ins bundled with hidden malware. The malicious software, known as ClipBanker, is designed to hijack crypto transactions by swapping copied wallet addresses on a user’s clipboard with those controlled by the attacker.
Kaspersky’s research team noted that crypto wallet users often copy wallet addresses rather than type them manually. If their device is infected with the ClipBanker malware, any funds sent could be redirected to an unintended destination controlled by the attacker.
Kaspersky reported that the malware also collects and transmits sensitive device data—including IP addresses, locations, and usernames—to attackers via Telegram. Meanwhile, the deceptive SourceForge page is designed to resemble a legitimate developer tool, complete with office add-ins and download buttons, making it appear trustworthy in search results.
ClipBanker is also capable of scanning an infected device to determine whether it has already been installed or if antivirus software is present, and can self-delete to avoid detection.
Additionally, Kaspersky reported that some of the suspicious files in the fake download package were unusually small—an immediate “red flag”, as office applications are rarely that compact, even in compressed form.
To mislead users, other files are deliberately bloated with junk data to mimic the appearance of legitimate software installers. The cybersecurity firm also noted that attackers are using a variety of techniques, including unconventional ones, to gain and maintain access to compromised systems.
The report noted that the interface of the malicious software is in Russian, leading researchers to believe the malware may be aimed at Russian-speaking users. “Our telemetry indicates that 90% of potential victims are in Russia, where 4,604 users encountered the scheme between early January and late March,” the Kaspersky research team stated.
To reduce the risk of infection, Kaspersky advised users to download software exclusively from trusted sources, warning that pirated or unofficial versions pose greater security threats.
Distributing malware disguised as pirated software is anything but new,” the team stated. “As users seek ways to download applications outside official sources, attackers offer their own. They keep looking for new ways to make their websites look legit.”
Read More
- North Korea’s Lazarus Group Targets Crypto Developers with Malware
- Crypto Scammers Shift to Telegram Malware with Fake Bots
- Victim Loses $35,000 in Otxo Conference Malware Attack
Michaela has no crypto positions and does not hold any crypto assets. This article is provided for informational purposes only and should not be construed as financial advice. The Shib Magazine and The Shib Daily are the official media and publications of the Shiba Inu cryptocurrency project. Readers are encouraged to conduct their own research and consult with a qualified financial adviser before making any investment decisions.
