Security researchers at Check Point disclosed a malware campaign on June 18 that goes well beyond the usual sketchy download page. Attackers are pushing trojanized Windows software through press releases on legitimate news sites, fake YouTube tutorials, social-media "ghost networks," and even manipulated VirusTotal scores — all to convince regular users the program is safe. Once installed, the malware silently swaps cryptocurrency wallet addresses copied to the clipboard, sending the victim's money to the attacker instead.
What Check Point found
A campaign to spread clipboard hijacker malware uses a sophisticated combination of social media "ghost networks," VirusTotal vote manipulation, and publications to real news sites to lend legitimacy to its trojanized software, Check Point Research revealed Wednesday.
The lure is software that promises an edge for crypto traders and online gamblers. The threat actor advertises fake software offering a competitive edge to crypto traders and players of online gambling games, but Check Point noted its social engineering tactics, particularly targeting VirusTotal, could extend to threats affecting enterprises.
What makes this campaign different is the reputation laundering. Researchers said these posts may have been made as paid advertisements or through some form of compromise, but noted all of the releases were published on the same date — April 27, 2026 — and most have since been taken down by the news organizations. A user who Googles the product name sees what looks like coverage on real news outlets, plus a clean-looking VirusTotal page — both of which are gamed.
How the malware works on a Windows PC
The payload itself is simple but effective. The clipboard hijacker payload constantly monitors changes to users' clipboard contents for cryptocurrency wallet addresses and replaces them with the attacker's wallet addresses to steal crypto transfers. The malware is written in Rust and establishes persistence with a Startup shortcut on Windows machines.
In plain English: you copy your wallet address (or a friend's), paste it into an exchange or wallet app, and the address that actually gets pasted is the attacker's. The transfer goes through normally — to the wrong destination. Because the malicious program installs itself to run at every login, it keeps working until the PC is cleaned. If you suspect a Windows machine has been compromised by something like this, our malware and spyware cleanup service can remove the persistence entries and check for any additional payloads dropped alongside it.
Check Point also warned that this same playbook can be repurposed. "These techniques can also be abused by other types of actors distributing and promoting information stealers or other malware families, which can eventually lead to full ransomware compromises in more mature environments," the researchers wrote — meaning the same fake-reputation tricks could just as easily push info-stealers or ransomware at small businesses.
Why "it had good reviews" is no longer a safe test
Most non-technical users vet a download with two quick checks: does Google show legitimate-looking articles about it, and does VirusTotal flag it? This campaign defeats both. The press releases on real news sites returned clean search results, and the VirusTotal score was artificially inflated by vote manipulation. A Telegram contact tied the operation together — these public campaigns all tie back to Telegram username JoseCmanXD, who is listed as the main contact on the phishing site and YouTube channel as well as the founder of "Decryptor" in the press release.
Practical guidance for Windows users: stick to vendor websites you typed in yourself, avoid "free" trading bots and game cheats entirely, and before sending any crypto transfer, verify the first and last six characters of the destination address after pasting. If anything looks off — slow performance, unfamiliar startup entries, browser oddities — get the machine looked at. A slow or misbehaving PC can also be a symptom of unrelated hardware aging, in which case an SSD or memory upgrade is the right fix rather than a reformat.
What This Means for York, PA
If you bought or installed any "crypto helper," trading bot, or game-cheat tool on a Windows PC in the last couple of months — or a family member did — bring it in to our York shop on Carlisle Road for a malware scan before you move any money. We can also help you set up a clean user account and verify nothing is silently launching at startup.