{"id":12096,"date":"2026-04-14T10:04:42","date_gmt":"2026-04-14T10:04:42","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/04\/14\/hackers-use-fake-proxifier-installer-on-github-to-spread-clipbanker-crypto-stealing-malware\/"},"modified":"2026-04-14T10:04:42","modified_gmt":"2026-04-14T10:04:42","slug":"hackers-use-fake-proxifier-installer-on-github-to-spread-clipbanker-crypto-stealing-malware","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/04\/14\/hackers-use-fake-proxifier-installer-on-github-to-spread-clipbanker-crypto-stealing-malware\/","title":{"rendered":"Hackers Use Fake Proxifier Installer on GitHub to Spread ClipBanker Crypto-Stealing Malware"},"content":{"rendered":"<p>    Hackers Use Fake Proxifier Installer on GitHub to Spread ClipBanker Crypto-Stealing Malware<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A dangerous malware campaign has been silently targeting cryptocurrency users by hiding inside a fake version of Proxifier, a popular proxy software tool. <\/p>\n<p>Threat actors set up a GitHub repository designed to look like a legitimate Proxifier download, but the installer bundled inside it is actually a Trojan that monitors and hijacks clipboard activity to steal crypto wallet funds.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/06c76995-757a-4863-bc8b-1765e8a7df71\/Hackers-Use-Fake-Proxifier-Installer-on-GitHub-to-Spread-ClipBanker-Crypto-Stealing-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEUF7BFC3A&amp;Signature=K1B9KzmM8IQ8Cj%2Fcm321m4Oa18I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEL3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBT%2Bm9LRSuJd%2Blyv0oo9%2F23cyK19Pe%2BljSLVIGR8cfGmAiEA6S64eQr7ts9ZN9ydNNNxVT7suileEgz5mtypl004HVQq%2FAQIhf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDPyi3Si190ZEkwIliCrQBBpgQOmwCzU%2FvyQdkI8Tdkk8CU6rsFzCYRqAwBkSY2OuAnnx2IEGyANkdNPz2clGjJyFCHaVpzKyEIjcZA%2BgY8Y4k4YoBgG4CYJvg5F9HnYN1%2Bu93t0AVdLyr40pc2r42Oe1iGHPAuo6KfyoZ8lHQH2EQ6xVOrQUVzsHn%2FLisSMXaLGtQGAPUG9OrbJtuNKosVM02YRXXLUuPi5IcXCQd6eZd568J8NSbeFz6pU5AmSonlGtI%2FdZAu8BQDP7RJWefksxkx0t38j0bx15Dv00%2BfXde8XebQ221oYq1qyrNKChkTEh4sc2QCInifOAnWNexN9KO0WFEiKVoyA58KP%2F28NImkw0mcppshgfQCPAndk73izqg4fFg1%2BtKO9FzGLv3tGOOfnYDLPStqKIdoq8mdo2CBT%2FFhg7xIRTcEb0lfuhNr7alo%2BaatAtltwPMmyos2QV379bkXk%2B%2BTgW%2B8p17pnSa%2Fq8WzjHvaB5vhc6xZbVxefacGK6iQ5C3HZ1lh5gLOp4bvItIxjXtvXVJnhefT1pt5rTlSklr3MsuZUSF%2F9SxjEHEYFNFJdapc72MIpwSwrvtylXqIN%2BpJG7I4XjCTb2A3YRtj%2Fgb4xXoZba8waEojYTDPEQYmxjdgEPw%2FkjTxvUWYRHiBPpoeA%2FpmebHzzNw8U49zzQQwssiuosa2Mr%2BB6N7adOoZyDLrASlbeuP9Xrxh%2BAOOlNAY0DuLgtkc7zkMKyKXIkPrVXy%2FtND6Di0A1%2F9if0tCb5OuMSUE9sjCo6DlWHwQR5ZCVR2seGChYwiP72zgY6mAEu8bR6YLEfiYUe5qmVn5yRZkNPfFOkvU3%2F18RfAcvEGg9XDBSotLfVIShvQuQkrIO%2B5TYEraIYeImnNPrKbTbyf6c60xxF6fKqN%2FfmUlSf5sf%2BJMKFqqIe%2Fe20EuRUEmFoNAjyI%2Fpgq07OMr3tdQd3tfBngpnHfNxxtTGFBkvev9%2FCJeP9a7DCvDvqDWjdAbcCs%2B%2FXI825Qg%3D%3D&amp;Expires=1776141873\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The attack begins in a very ordinary way. A user searches for \u201cProxifier\u201d on a popular search engine, and one of the top results points directly to the malicious GitHub repository. <\/p>\n<p>The project page looks genuine \u2014 it even displays source code for a basic proxy service. In the Releases section, visitors find a downloadable archive containing an executable file and a text document with software activation keys, making the whole package appear trustworthy. <\/p>\n<p>What the user does not know is that the executable is a malicious wrapper built around the genuine Proxifier installer.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgD-60m9EOVcOoWENp1NmhbFOU60CNMELBUIwBjir9EfNF3b3wk2XtCIFEetG2HlYf9hK3fUuQ_m9Lk43gsSAhVCTdWfBWdUDDmY-AbT2zGh3R9FXQefWD0R80e4onOSx7c3iJkA4Ba1HtpWZw1FNvjC9cq_sxB6HmW_oESbK3EtH81GZjy4l1xo8cvWsM\/s16000\/Search%2520results%2520showing%2520the%2520malicious%2520GitHub%2520repository%2520listed%2520among%2520the%2520top%2520results%2520for%2520%27Proxifier%27%2520%28Source%2520-%2520Securelist%29.webp?ssl=1\" alt=\"Search results showing the malicious GitHub repository listed among the top results for 'Proxifier' (Source - Securelist)\"><figcaption class=\"wp-element-caption\">Search results showing the malicious GitHub repository listed among the top results for \u2018Proxifier\u2019 (Source \u2013 Securelist)<\/figcaption><\/figure>\n<\/div>\n<p><a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/06c76995-757a-4863-bc8b-1765e8a7df71\/Hackers-Use-Fake-Proxifier-Installer-on-GitHub-to-Spread-ClipBanker-Crypto-Stealing-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEUF7BFC3A&amp;Signature=K1B9KzmM8IQ8Cj%2Fcm321m4Oa18I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEL3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBT%2Bm9LRSuJd%2Blyv0oo9%2F23cyK19Pe%2BljSLVIGR8cfGmAiEA6S64eQr7ts9ZN9ydNNNxVT7suileEgz5mtypl004HVQq%2FAQIhf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDPyi3Si190ZEkwIliCrQBBpgQOmwCzU%2FvyQdkI8Tdkk8CU6rsFzCYRqAwBkSY2OuAnnx2IEGyANkdNPz2clGjJyFCHaVpzKyEIjcZA%2BgY8Y4k4YoBgG4CYJvg5F9HnYN1%2Bu93t0AVdLyr40pc2r42Oe1iGHPAuo6KfyoZ8lHQH2EQ6xVOrQUVzsHn%2FLisSMXaLGtQGAPUG9OrbJtuNKosVM02YRXXLUuPi5IcXCQd6eZd568J8NSbeFz6pU5AmSonlGtI%2FdZAu8BQDP7RJWefksxkx0t38j0bx15Dv00%2BfXde8XebQ221oYq1qyrNKChkTEh4sc2QCInifOAnWNexN9KO0WFEiKVoyA58KP%2F28NImkw0mcppshgfQCPAndk73izqg4fFg1%2BtKO9FzGLv3tGOOfnYDLPStqKIdoq8mdo2CBT%2FFhg7xIRTcEb0lfuhNr7alo%2BaatAtltwPMmyos2QV379bkXk%2B%2BTgW%2B8p17pnSa%2Fq8WzjHvaB5vhc6xZbVxefacGK6iQ5C3HZ1lh5gLOp4bvItIxjXtvXVJnhefT1pt5rTlSklr3MsuZUSF%2F9SxjEHEYFNFJdapc72MIpwSwrvtylXqIN%2BpJG7I4XjCTb2A3YRtj%2Fgb4xXoZba8waEojYTDPEQYmxjdgEPw%2FkjTxvUWYRHiBPpoeA%2FpmebHzzNw8U49zzQQwssiuosa2Mr%2BB6N7adOoZyDLrASlbeuP9Xrxh%2BAOOlNAY0DuLgtkc7zkMKyKXIkPrVXy%2FtND6Di0A1%2F9if0tCb5OuMSUE9sjCo6DlWHwQR5ZCVR2seGChYwiP72zgY6mAEu8bR6YLEfiYUe5qmVn5yRZkNPfFOkvU3%2F18RfAcvEGg9XDBSotLfVIShvQuQkrIO%2B5TYEraIYeImnNPrKbTbyf6c60xxF6fKqN%2FfmUlSf5sf%2BJMKFqqIe%2Fe20EuRUEmFoNAjyI%2Fpgq07OMr3tdQd3tfBngpnHfNxxtTGFBkvev9%2FCJeP9a7DCvDvqDWjdAbcCs%2B%2FXI825Qg%3D%3D&amp;Expires=1776141873\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><a href=\"https:\/\/securelist.com\/clipbanker-malware-distributed-via-trojanized-proxifier\/119341\/\" id=\"https:\/\/securelist.com\/clipbanker-malware-distributed-via-trojanized-proxifier\/119341\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Securelist researchers identified this campaign<\/a> in early 2026, with analyst Oleg Kupreev noting that it had been active since the beginning of 2025. <\/p>\n<p>The researchers described the infection chain as unusually long, with multiple layered stages designed to keep the malware hidden throughout the process. <\/p>\n<p>Since early 2025, more than 2,000 users of Kaspersky security solutions have encountered this threat, with the majority of victims located in India and Vietnam.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/06c76995-757a-4863-bc8b-1765e8a7df71\/Hackers-Use-Fake-Proxifier-Installer-on-GitHub-to-Spread-ClipBanker-Crypto-Stealing-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEUF7BFC3A&amp;Signature=K1B9KzmM8IQ8Cj%2Fcm321m4Oa18I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEL3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBT%2Bm9LRSuJd%2Blyv0oo9%2F23cyK19Pe%2BljSLVIGR8cfGmAiEA6S64eQr7ts9ZN9ydNNNxVT7suileEgz5mtypl004HVQq%2FAQIhf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDPyi3Si190ZEkwIliCrQBBpgQOmwCzU%2FvyQdkI8Tdkk8CU6rsFzCYRqAwBkSY2OuAnnx2IEGyANkdNPz2clGjJyFCHaVpzKyEIjcZA%2BgY8Y4k4YoBgG4CYJvg5F9HnYN1%2Bu93t0AVdLyr40pc2r42Oe1iGHPAuo6KfyoZ8lHQH2EQ6xVOrQUVzsHn%2FLisSMXaLGtQGAPUG9OrbJtuNKosVM02YRXXLUuPi5IcXCQd6eZd568J8NSbeFz6pU5AmSonlGtI%2FdZAu8BQDP7RJWefksxkx0t38j0bx15Dv00%2BfXde8XebQ221oYq1qyrNKChkTEh4sc2QCInifOAnWNexN9KO0WFEiKVoyA58KP%2F28NImkw0mcppshgfQCPAndk73izqg4fFg1%2BtKO9FzGLv3tGOOfnYDLPStqKIdoq8mdo2CBT%2FFhg7xIRTcEb0lfuhNr7alo%2BaatAtltwPMmyos2QV379bkXk%2B%2BTgW%2B8p17pnSa%2Fq8WzjHvaB5vhc6xZbVxefacGK6iQ5C3HZ1lh5gLOp4bvItIxjXtvXVJnhefT1pt5rTlSklr3MsuZUSF%2F9SxjEHEYFNFJdapc72MIpwSwrvtylXqIN%2BpJG7I4XjCTb2A3YRtj%2Fgb4xXoZba8waEojYTDPEQYmxjdgEPw%2FkjTxvUWYRHiBPpoeA%2FpmebHzzNw8U49zzQQwssiuosa2Mr%2BB6N7adOoZyDLrASlbeuP9Xrxh%2BAOOlNAY0DuLgtkc7zkMKyKXIkPrVXy%2FtND6Di0A1%2F9if0tCb5OuMSUE9sjCo6DlWHwQR5ZCVR2seGChYwiP72zgY6mAEu8bR6YLEfiYUe5qmVn5yRZkNPfFOkvU3%2F18RfAcvEGg9XDBSotLfVIShvQuQkrIO%2B5TYEraIYeImnNPrKbTbyf6c60xxF6fKqN%2FfmUlSf5sf%2BJMKFqqIe%2Fe20EuRUEmFoNAjyI%2Fpgq07OMr3tdQd3tfBngpnHfNxxtTGFBkvev9%2FCJeP9a7DCvDvqDWjdAbcCs%2B%2FXI825Qg%3D%3D&amp;Expires=1776141873\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>ClipBanker is a clipboard-hijacking Trojan built specifically to go after cryptocurrency users. Any time a victim copies a wallet address \u2014 to send funds to someone, for instance \u2014 the malware silently swaps it out with an address owned by the attackers. <\/p>\n<p>The threat covers more than 26 <a href=\"https:\/\/cybersecuritynews.com\/cybersecurity-risks-and-threats-in-blockchain-networks\/\" id=\"19039\" target=\"_blank\" rel=\"noreferrer noopener\">blockchain networks<\/a>, including Bitcoin, Ethereum, Solana, Monero, Dogecoin, TRON, Ripple, Litecoin, and many others, giving the attackers a very wide reach across different crypto ecosystems.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/06c76995-757a-4863-bc8b-1765e8a7df71\/Hackers-Use-Fake-Proxifier-Installer-on-GitHub-to-Spread-ClipBanker-Crypto-Stealing-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEUF7BFC3A&amp;Signature=K1B9KzmM8IQ8Cj%2Fcm321m4Oa18I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEL3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBT%2Bm9LRSuJd%2Blyv0oo9%2F23cyK19Pe%2BljSLVIGR8cfGmAiEA6S64eQr7ts9ZN9ydNNNxVT7suileEgz5mtypl004HVQq%2FAQIhf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDPyi3Si190ZEkwIliCrQBBpgQOmwCzU%2FvyQdkI8Tdkk8CU6rsFzCYRqAwBkSY2OuAnnx2IEGyANkdNPz2clGjJyFCHaVpzKyEIjcZA%2BgY8Y4k4YoBgG4CYJvg5F9HnYN1%2Bu93t0AVdLyr40pc2r42Oe1iGHPAuo6KfyoZ8lHQH2EQ6xVOrQUVzsHn%2FLisSMXaLGtQGAPUG9OrbJtuNKosVM02YRXXLUuPi5IcXCQd6eZd568J8NSbeFz6pU5AmSonlGtI%2FdZAu8BQDP7RJWefksxkx0t38j0bx15Dv00%2BfXde8XebQ221oYq1qyrNKChkTEh4sc2QCInifOAnWNexN9KO0WFEiKVoyA58KP%2F28NImkw0mcppshgfQCPAndk73izqg4fFg1%2BtKO9FzGLv3tGOOfnYDLPStqKIdoq8mdo2CBT%2FFhg7xIRTcEb0lfuhNr7alo%2BaatAtltwPMmyos2QV379bkXk%2B%2BTgW%2B8p17pnSa%2Fq8WzjHvaB5vhc6xZbVxefacGK6iQ5C3HZ1lh5gLOp4bvItIxjXtvXVJnhefT1pt5rTlSklr3MsuZUSF%2F9SxjEHEYFNFJdapc72MIpwSwrvtylXqIN%2BpJG7I4XjCTb2A3YRtj%2Fgb4xXoZba8waEojYTDPEQYmxjdgEPw%2FkjTxvUWYRHiBPpoeA%2FpmebHzzNw8U49zzQQwssiuosa2Mr%2BB6N7adOoZyDLrASlbeuP9Xrxh%2BAOOlNAY0DuLgtkc7zkMKyKXIkPrVXy%2FtND6Di0A1%2F9if0tCb5OuMSUE9sjCo6DlWHwQR5ZCVR2seGChYwiP72zgY6mAEu8bR6YLEfiYUe5qmVn5yRZkNPfFOkvU3%2F18RfAcvEGg9XDBSotLfVIShvQuQkrIO%2B5TYEraIYeImnNPrKbTbyf6c60xxF6fKqN%2FfmUlSf5sf%2BJMKFqqIe%2Fe20EuRUEmFoNAjyI%2Fpgq07OMr3tdQd3tfBngpnHfNxxtTGFBkvev9%2FCJeP9a7DCvDvqDWjdAbcCs%2B%2FXI825Qg%3D%3D&amp;Expires=1776141873\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>What makes this campaign particularly effective is how convincingly it is packaged. The attackers have been actively pushing their malicious GitHub repository up through search engine results, making sure more users find it. <\/p>\n<p>A user downloading what appears to be free legitimate software would have no obvious reason to suspect anything \u2014 until their cryptocurrency silently disappears.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/06c76995-757a-4863-bc8b-1765e8a7df71\/Hackers-Use-Fake-Proxifier-Installer-on-GitHub-to-Spread-ClipBanker-Crypto-Stealing-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEUF7BFC3A&amp;Signature=K1B9KzmM8IQ8Cj%2Fcm321m4Oa18I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEL3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBT%2Bm9LRSuJd%2Blyv0oo9%2F23cyK19Pe%2BljSLVIGR8cfGmAiEA6S64eQr7ts9ZN9ydNNNxVT7suileEgz5mtypl004HVQq%2FAQIhf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDPyi3Si190ZEkwIliCrQBBpgQOmwCzU%2FvyQdkI8Tdkk8CU6rsFzCYRqAwBkSY2OuAnnx2IEGyANkdNPz2clGjJyFCHaVpzKyEIjcZA%2BgY8Y4k4YoBgG4CYJvg5F9HnYN1%2Bu93t0AVdLyr40pc2r42Oe1iGHPAuo6KfyoZ8lHQH2EQ6xVOrQUVzsHn%2FLisSMXaLGtQGAPUG9OrbJtuNKosVM02YRXXLUuPi5IcXCQd6eZd568J8NSbeFz6pU5AmSonlGtI%2FdZAu8BQDP7RJWefksxkx0t38j0bx15Dv00%2BfXde8XebQ221oYq1qyrNKChkTEh4sc2QCInifOAnWNexN9KO0WFEiKVoyA58KP%2F28NImkw0mcppshgfQCPAndk73izqg4fFg1%2BtKO9FzGLv3tGOOfnYDLPStqKIdoq8mdo2CBT%2FFhg7xIRTcEb0lfuhNr7alo%2BaatAtltwPMmyos2QV379bkXk%2B%2BTgW%2B8p17pnSa%2Fq8WzjHvaB5vhc6xZbVxefacGK6iQ5C3HZ1lh5gLOp4bvItIxjXtvXVJnhefT1pt5rTlSklr3MsuZUSF%2F9SxjEHEYFNFJdapc72MIpwSwrvtylXqIN%2BpJG7I4XjCTb2A3YRtj%2Fgb4xXoZba8waEojYTDPEQYmxjdgEPw%2FkjTxvUWYRHiBPpoeA%2FpmebHzzNw8U49zzQQwssiuosa2Mr%2BB6N7adOoZyDLrASlbeuP9Xrxh%2BAOOlNAY0DuLgtkc7zkMKyKXIkPrVXy%2FtND6Di0A1%2F9if0tCb5OuMSUE9sjCo6DlWHwQR5ZCVR2seGChYwiP72zgY6mAEu8bR6YLEfiYUe5qmVn5yRZkNPfFOkvU3%2F18RfAcvEGg9XDBSotLfVIShvQuQkrIO%2B5TYEraIYeImnNPrKbTbyf6c60xxF6fKqN%2FfmUlSf5sf%2BJMKFqqIe%2Fe20EuRUEmFoNAjyI%2Fpgq07OMr3tdQd3tfBngpnHfNxxtTGFBkvev9%2FCJeP9a7DCvDvqDWjdAbcCs%2B%2FXI825Qg%3D%3D&amp;Expires=1776141873\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"inside-the-infection-chain-how-clipbanker-evades-d\"><strong>Inside the Infection Chain: How ClipBanker Evades Detection<\/strong><\/h2>\n<p>Once the user runs the trojanized installer, the malware gets to work immediately. Its first move is to create a small stub file \u2014 roughly 1.5 KB \u2014 in the system\u2019s temp folder, with a name that mimics a legitimate Proxifier process. <\/p>\n<p>A .NET application called\u00a0<code>api_updater.exe<\/code>\u00a0is then injected into this stub to quietly add <a href=\"https:\/\/cybersecuritynews.com\/microsoft-defender-vulnerability-allows-attackers\/\" id=\"105852\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Defender<\/a> exclusions for TMP files and the current directory. This step makes sure the following stages of the infection run without triggering any security alerts.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/06c76995-757a-4863-bc8b-1765e8a7df71\/Hackers-Use-Fake-Proxifier-Installer-on-GitHub-to-Spread-ClipBanker-Crypto-Stealing-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEUF7BFC3A&amp;Signature=K1B9KzmM8IQ8Cj%2Fcm321m4Oa18I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEL3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBT%2Bm9LRSuJd%2Blyv0oo9%2F23cyK19Pe%2BljSLVIGR8cfGmAiEA6S64eQr7ts9ZN9ydNNNxVT7suileEgz5mtypl004HVQq%2FAQIhf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDPyi3Si190ZEkwIliCrQBBpgQOmwCzU%2FvyQdkI8Tdkk8CU6rsFzCYRqAwBkSY2OuAnnx2IEGyANkdNPz2clGjJyFCHaVpzKyEIjcZA%2BgY8Y4k4YoBgG4CYJvg5F9HnYN1%2Bu93t0AVdLyr40pc2r42Oe1iGHPAuo6KfyoZ8lHQH2EQ6xVOrQUVzsHn%2FLisSMXaLGtQGAPUG9OrbJtuNKosVM02YRXXLUuPi5IcXCQd6eZd568J8NSbeFz6pU5AmSonlGtI%2FdZAu8BQDP7RJWefksxkx0t38j0bx15Dv00%2BfXde8XebQ221oYq1qyrNKChkTEh4sc2QCInifOAnWNexN9KO0WFEiKVoyA58KP%2F28NImkw0mcppshgfQCPAndk73izqg4fFg1%2BtKO9FzGLv3tGOOfnYDLPStqKIdoq8mdo2CBT%2FFhg7xIRTcEb0lfuhNr7alo%2BaatAtltwPMmyos2QV379bkXk%2B%2BTgW%2B8p17pnSa%2Fq8WzjHvaB5vhc6xZbVxefacGK6iQ5C3HZ1lh5gLOp4bvItIxjXtvXVJnhefT1pt5rTlSklr3MsuZUSF%2F9SxjEHEYFNFJdapc72MIpwSwrvtylXqIN%2BpJG7I4XjCTb2A3YRtj%2Fgb4xXoZba8waEojYTDPEQYmxjdgEPw%2FkjTxvUWYRHiBPpoeA%2FpmebHzzNw8U49zzQQwssiuosa2Mr%2BB6N7adOoZyDLrASlbeuP9Xrxh%2BAOOlNAY0DuLgtkc7zkMKyKXIkPrVXy%2FtND6Di0A1%2F9if0tCb5OuMSUE9sjCo6DlWHwQR5ZCVR2seGChYwiP72zgY6mAEu8bR6YLEfiYUe5qmVn5yRZkNPfFOkvU3%2F18RfAcvEGg9XDBSotLfVIShvQuQkrIO%2B5TYEraIYeImnNPrKbTbyf6c60xxF6fKqN%2FfmUlSf5sf%2BJMKFqqIe%2Fe20EuRUEmFoNAjyI%2Fpgq07OMr3tdQd3tfBngpnHfNxxtTGFBkvev9%2FCJeP9a7DCvDvqDWjdAbcCs%2B%2FXI825Qg%3D%3D&amp;Expires=1776141873\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>While the real Proxifier installer opens in the foreground to keep the victim calm and unsuspecting, the Trojan quietly continues working in the background. <\/p>\n<p>It injects another module \u2014\u00a0<code>proxifierupdater.exe<\/code>\u00a0\u2014 which in turn pushes malicious code into\u00a0<code>conhost.exe<\/code>, a trusted Windows system utility. <\/p>\n<p>Through this process, an obfuscated <a href=\"https:\/\/cybersecuritynews.com\/vice-society-ransomware-2\/\" id=\"16203\" target=\"_blank\" rel=\"noreferrer noopener\">PowerShell script<\/a> executes directly in memory, without leaving any visible trace on the hard drive. This fileless approach is what makes the malware so difficult to detect and remove in time.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/06c76995-757a-4863-bc8b-1765e8a7df71\/Hackers-Use-Fake-Proxifier-Installer-on-GitHub-to-Spread-ClipBanker-Crypto-Stealing-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEUF7BFC3A&amp;Signature=K1B9KzmM8IQ8Cj%2Fcm321m4Oa18I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEL3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBT%2Bm9LRSuJd%2Blyv0oo9%2F23cyK19Pe%2BljSLVIGR8cfGmAiEA6S64eQr7ts9ZN9ydNNNxVT7suileEgz5mtypl004HVQq%2FAQIhf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDPyi3Si190ZEkwIliCrQBBpgQOmwCzU%2FvyQdkI8Tdkk8CU6rsFzCYRqAwBkSY2OuAnnx2IEGyANkdNPz2clGjJyFCHaVpzKyEIjcZA%2BgY8Y4k4YoBgG4CYJvg5F9HnYN1%2Bu93t0AVdLyr40pc2r42Oe1iGHPAuo6KfyoZ8lHQH2EQ6xVOrQUVzsHn%2FLisSMXaLGtQGAPUG9OrbJtuNKosVM02YRXXLUuPi5IcXCQd6eZd568J8NSbeFz6pU5AmSonlGtI%2FdZAu8BQDP7RJWefksxkx0t38j0bx15Dv00%2BfXde8XebQ221oYq1qyrNKChkTEh4sc2QCInifOAnWNexN9KO0WFEiKVoyA58KP%2F28NImkw0mcppshgfQCPAndk73izqg4fFg1%2BtKO9FzGLv3tGOOfnYDLPStqKIdoq8mdo2CBT%2FFhg7xIRTcEb0lfuhNr7alo%2BaatAtltwPMmyos2QV379bkXk%2B%2BTgW%2B8p17pnSa%2Fq8WzjHvaB5vhc6xZbVxefacGK6iQ5C3HZ1lh5gLOp4bvItIxjXtvXVJnhefT1pt5rTlSklr3MsuZUSF%2F9SxjEHEYFNFJdapc72MIpwSwrvtylXqIN%2BpJG7I4XjCTb2A3YRtj%2Fgb4xXoZba8waEojYTDPEQYmxjdgEPw%2FkjTxvUWYRHiBPpoeA%2FpmebHzzNw8U49zzQQwssiuosa2Mr%2BB6N7adOoZyDLrASlbeuP9Xrxh%2BAOOlNAY0DuLgtkc7zkMKyKXIkPrVXy%2FtND6Di0A1%2F9if0tCb5OuMSUE9sjCo6DlWHwQR5ZCVR2seGChYwiP72zgY6mAEu8bR6YLEfiYUe5qmVn5yRZkNPfFOkvU3%2F18RfAcvEGg9XDBSotLfVIShvQuQkrIO%2B5TYEraIYeImnNPrKbTbyf6c60xxF6fKqN%2FfmUlSf5sf%2BJMKFqqIe%2Fe20EuRUEmFoNAjyI%2Fpgq07OMr3tdQd3tfBngpnHfNxxtTGFBkvev9%2FCJeP9a7DCvDvqDWjdAbcCs%2B%2FXI825Qg%3D%3D&amp;Expires=1776141873\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The PowerShell script handles several key tasks: it adds PowerShell and conhost processes to Defender\u2019s exclusion list, stores an encoded script inside a registry key at\u00a0<code>HKLMSOFTWARESystem::Config<\/code>, and registers a scheduled task named \u201cMaintenance Settings Control Panel\u201d that activates each time the user logs in. <\/p>\n<p>The task reads the stored script, decodes it, and pulls the next payload from Pastebin-type services. <\/p>\n<p>After one final download from GitHub, the shellcode is injected into\u00a0<code>fontdrvhost.exe<\/code>, where ClipBanker begins quietly watching the clipboard for any crypto wallet address to replace.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/06c76995-757a-4863-bc8b-1765e8a7df71\/Hackers-Use-Fake-Proxifier-Installer-on-GitHub-to-Spread-ClipBanker-Crypto-Stealing-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEUF7BFC3A&amp;Signature=K1B9KzmM8IQ8Cj%2Fcm321m4Oa18I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEL3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBT%2Bm9LRSuJd%2Blyv0oo9%2F23cyK19Pe%2BljSLVIGR8cfGmAiEA6S64eQr7ts9ZN9ydNNNxVT7suileEgz5mtypl004HVQq%2FAQIhf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDPyi3Si190ZEkwIliCrQBBpgQOmwCzU%2FvyQdkI8Tdkk8CU6rsFzCYRqAwBkSY2OuAnnx2IEGyANkdNPz2clGjJyFCHaVpzKyEIjcZA%2BgY8Y4k4YoBgG4CYJvg5F9HnYN1%2Bu93t0AVdLyr40pc2r42Oe1iGHPAuo6KfyoZ8lHQH2EQ6xVOrQUVzsHn%2FLisSMXaLGtQGAPUG9OrbJtuNKosVM02YRXXLUuPi5IcXCQd6eZd568J8NSbeFz6pU5AmSonlGtI%2FdZAu8BQDP7RJWefksxkx0t38j0bx15Dv00%2BfXde8XebQ221oYq1qyrNKChkTEh4sc2QCInifOAnWNexN9KO0WFEiKVoyA58KP%2F28NImkw0mcppshgfQCPAndk73izqg4fFg1%2BtKO9FzGLv3tGOOfnYDLPStqKIdoq8mdo2CBT%2FFhg7xIRTcEb0lfuhNr7alo%2BaatAtltwPMmyos2QV379bkXk%2B%2BTgW%2B8p17pnSa%2Fq8WzjHvaB5vhc6xZbVxefacGK6iQ5C3HZ1lh5gLOp4bvItIxjXtvXVJnhefT1pt5rTlSklr3MsuZUSF%2F9SxjEHEYFNFJdapc72MIpwSwrvtylXqIN%2BpJG7I4XjCTb2A3YRtj%2Fgb4xXoZba8waEojYTDPEQYmxjdgEPw%2FkjTxvUWYRHiBPpoeA%2FpmebHzzNw8U49zzQQwssiuosa2Mr%2BB6N7adOoZyDLrASlbeuP9Xrxh%2BAOOlNAY0DuLgtkc7zkMKyKXIkPrVXy%2FtND6Di0A1%2F9if0tCb5OuMSUE9sjCo6DlWHwQR5ZCVR2seGChYwiP72zgY6mAEu8bR6YLEfiYUe5qmVn5yRZkNPfFOkvU3%2F18RfAcvEGg9XDBSotLfVIShvQuQkrIO%2B5TYEraIYeImnNPrKbTbyf6c60xxF6fKqN%2FfmUlSf5sf%2BJMKFqqIe%2Fe20EuRUEmFoNAjyI%2Fpgq07OMr3tdQd3tfBngpnHfNxxtTGFBkvev9%2FCJeP9a7DCvDvqDWjdAbcCs%2B%2FXI825Qg%3D%3D&amp;Expires=1776141873\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>To stay safe, users should download software only from official and verified sources. Running a reliable, up-to-date security solution is strongly recommended, as it can stop infections before they cause real damage. <\/p>\n<p>If a paid <a href=\"https:\/\/cybersecuritynews.com\/best-cloud-security-tools\/\" id=\"11635\" target=\"_blank\" rel=\"noreferrer noopener\">security tool<\/a> is not an option, every download source should be carefully verified before any file is launched.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/06c76995-757a-4863-bc8b-1765e8a7df71\/Hackers-Use-Fake-Proxifier-Installer-on-GitHub-to-Spread-ClipBanker-Crypto-Stealing-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYEUF7BFC3A&amp;Signature=K1B9KzmM8IQ8Cj%2Fcm321m4Oa18I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEL3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBT%2Bm9LRSuJd%2Blyv0oo9%2F23cyK19Pe%2BljSLVIGR8cfGmAiEA6S64eQr7ts9ZN9ydNNNxVT7suileEgz5mtypl004HVQq%2FAQIhf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDPyi3Si190ZEkwIliCrQBBpgQOmwCzU%2FvyQdkI8Tdkk8CU6rsFzCYRqAwBkSY2OuAnnx2IEGyANkdNPz2clGjJyFCHaVpzKyEIjcZA%2BgY8Y4k4YoBgG4CYJvg5F9HnYN1%2Bu93t0AVdLyr40pc2r42Oe1iGHPAuo6KfyoZ8lHQH2EQ6xVOrQUVzsHn%2FLisSMXaLGtQGAPUG9OrbJtuNKosVM02YRXXLUuPi5IcXCQd6eZd568J8NSbeFz6pU5AmSonlGtI%2FdZAu8BQDP7RJWefksxkx0t38j0bx15Dv00%2BfXde8XebQ221oYq1qyrNKChkTEh4sc2QCInifOAnWNexN9KO0WFEiKVoyA58KP%2F28NImkw0mcppshgfQCPAndk73izqg4fFg1%2BtKO9FzGLv3tGOOfnYDLPStqKIdoq8mdo2CBT%2FFhg7xIRTcEb0lfuhNr7alo%2BaatAtltwPMmyos2QV379bkXk%2B%2BTgW%2B8p17pnSa%2Fq8WzjHvaB5vhc6xZbVxefacGK6iQ5C3HZ1lh5gLOp4bvItIxjXtvXVJnhefT1pt5rTlSklr3MsuZUSF%2F9SxjEHEYFNFJdapc72MIpwSwrvtylXqIN%2BpJG7I4XjCTb2A3YRtj%2Fgb4xXoZba8waEojYTDPEQYmxjdgEPw%2FkjTxvUWYRHiBPpoeA%2FpmebHzzNw8U49zzQQwssiuosa2Mr%2BB6N7adOoZyDLrASlbeuP9Xrxh%2BAOOlNAY0DuLgtkc7zkMKyKXIkPrVXy%2FtND6Di0A1%2F9if0tCb5OuMSUE9sjCo6DlWHwQR5ZCVR2seGChYwiP72zgY6mAEu8bR6YLEfiYUe5qmVn5yRZkNPfFOkvU3%2F18RfAcvEGg9XDBSotLfVIShvQuQkrIO%2B5TYEraIYeImnNPrKbTbyf6c60xxF6fKqN%2FfmUlSf5sf%2BJMKFqqIe%2Fe20EuRUEmFoNAjyI%2Fpgq07OMr3tdQd3tfBngpnHfNxxtTGFBkvev9%2FCJeP9a7DCvDvqDWjdAbcCs%2B%2FXI825Qg%3D%3D&amp;Expires=1776141873\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/hackers-use-fake-proxifier-installer-on-github\/\">Hackers Use Fake Proxifier Installer on GitHub to Spread ClipBanker Crypto-Stealing Malware<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/hackers-use-fake-proxifier-installer-on-github\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers Use Fake Proxifier Installer on GitHub to Spread ClipBanker Crypto-Stealing Malware A dangerous malware campaign has been silently targeting cryptocurrency users by hiding inside a fake version of Proxifier, a popular proxy software tool. Threat actors set up a GitHub repository designed to look like a legitimate Proxifier download, but the installer bundled inside [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-12096","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12096"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12096"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12096\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12096"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12096"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12096"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}