An unknown threat actor has been observed leveraging paid or promoted posts on legitimate news websites to drum up buzz for their warez, according to new findings from Check Point Research.
The threat actor also has at their disposal a dedicated WordPress phishing page that acts as the central hub, alongside GitHub and SourceForge projects promoted by fake accounts, a YouTube channel, and a cluster of accounts that engage in coordinated activity on VirusTotal with the intent to misclassify malicious files as safe.
"To push a malicious 'tool,' a single threat actor borrowed the same playbook legitimate brands use to build buzz: inflated download counts, coordinated five-star reviews, influencer-style tutorial videos, and promotion on platforms people instinctively trust," Check Point said in a report shared with The Hacker News. "The result is a fake reputation economy spanning every platform a curious victim might check before they click 'download.'"
The end goal of the campaign is to push a cryptocurrency clipboard hijacker that's concealed within Solana and Pump.fun sniper bots and crash-game predictors, suggesting that cryptocurrency asset holders and online gamblers on the hunt for shortcuts and quick profits are the targets.
The Rust-based clipper targets both Windows and macOS systems, and continuously monitors the clipboard for content that matches a cryptocurrency wallet address pattern. When a match is found, the malware substitutes the wallet address with an attacker-controlled address pulled from a hard-coded list, effectively routing the digital assets to them.
What's notable about the activity is the use of Ghost Networks to poison reputation-driven systems like VirusTotal, aiming to reduce suspicion and increase victims' trust in the malicious files through a combination of upvotes and highly positive comments.