An unknown threat actor has been observed utilizing paid or promoted posts on legitimate news websites to generate interest in their malicious software, according to findings from Check Point Research. This campaign employs a dedicated WordPress phishing page as a central hub, alongside projects on GitHub and SourceForge, all promoted by fake accounts. Additionally, a YouTube channel and a network of accounts engage in coordinated activity on VirusTotal to misclassify harmful files as safe.
Deceptive Marketing Tactics
The campaign aims to distribute a cryptocurrency clipboard hijacker concealed within tools like Solana and Pump.fun sniper bots, targeting cryptocurrency holders and online gamblers. The malware, written in Rust, is designed for both Windows and macOS systems, continuously monitoring the clipboard for cryptocurrency wallet addresses. When it detects a match, it replaces the wallet address with one controlled by the attacker, redirecting digital assets to them.
Manipulating Trust Signals
Notably, the campaign employs Ghost Networks to manipulate reputation systems such as VirusTotal, using upvotes and positive comments to create a false sense of security around the malicious files. The threat actor operates at least six GitHub accounts to cross-promote their malware, with one repository boasting 146 stars and 62 forks, indicating synthetic engagement.
Suspicious Download Metrics
On SourceForge, the download count for the software reached 44,485, with an implausible 37,460 downloads allegedly from Android devices, despite the software being available only for Windows and macOS. This discrepancy suggests the use of an Android farm to inflate download statistics artificially. Furthermore, the software is promoted through a YouTube channel with over 91,000 subscribers, featuring AI-generated narrators and positive comments to enhance its perceived legitimacy.
Press Release Manipulation
Interestingly, the threat actor also utilized a press release distribution service, EIN Presswire, to market their tool’s capabilities. This press release has been disseminated across partner news websites, including the USA TODAY Network. Check Point noted that this manipulation of sentiment and reputation across crowd-sourced platforms signifies a shift in how attackers build trust, potentially enabling the distribution of more harmful software in the future.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
