Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments

Summary

An unknown threat actor is employing a sophisticated campaign to distribute a cryptocurrency clipboard hijacker. They are using paid news posts, fake reviews, AI-generated narrator videos on YouTube, and coordinated activity on VirusTotal and GitHub to build a false reputation for their malicious tools, which are disguised as Solana and Pump.fun sniper bots.

Full text

Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments Ravie LakshmananJun 17, 2026Malware / Social Engineering An unknown threat actor has been observed leveraging paid or promoted posts on legitimate news websites to drum up buzz for their warez, according to new findings from Check Point Research. The threat actor also has at their disposal a dedicated WordPress phishing page that acts as the central hub, alongside GitHub and SourceForge projects promoted by fake accounts, a YouTube channel, and a cluster of accounts that engage in coordinated activity on VirusTotal with the intent to misclassify malicious files as safe. "To push a malicious 'tool,' a single threat actor borrowed the same playbook legitimate brands use to build buzz: inflated download counts, coordinated five-star reviews, influencer-style tutorial videos, and promotion on platforms people instinctively trust," Check Point said in a report shared with The Hacker News. "The result is a fake reputation economy spanning every platform a curious victim might check before they click 'download.'" The end goal of the campaign is to push a cryptocurrency clipboard hijacker that's concealed within Solana and Pump.fun sniper bots and crash-game predictors, suggesting that cryptocurrency asset holders and online gamblers on the hunt for shortcuts and quick profits are the targets. The Rust-based clipper targets both Windows and macOS systems, and continuously monitors the clipboard for content that matches a cryptocurrency wallet address pattern. When a match is found, the malware substitutes the wallet address with an attacker-controlled address pulled from a hard-coded list, effectively routing the digital assets to them. What's notable about the activity is the use of Ghost Networks to poison reputation-driven systems like VirusTotal, aiming to reduce suspicion and increase victims' trust in the malicious files through a combination of upvotes and highly positive comments. This behavior also extends to GitHub, where the threat actor operates at least six GitHub accounts to cross-promote and distribute their malware. These synthetically boosted signals are designed to lull users into a false sense of security and trust. One such repository has 146 stars and 62 forks. "On SourceForge, the download counter reached 44,485, with a suspicious 37,460 supposedly originating from Android devices, despite the developer only offering Windows and macOS versions," Check Point explained. "A plausible explanation is the use of an Android farm to artificially inflate the download count on SourceForge." Furthermore, the software solutions are promoted through a dedicated YouTube channel with over 91,000 subscribers. The channel was created in July 2020, with the operators claiming that it's "strictly for educational purposes only." The tutorial-style videos feature AI‑generated narrators and positive comments to reinforce the illusion of popularity and trustworthiness. Perhaps the most unusual aspect of the campaign is the threat actor's use of a press release distribution service like EIN Presswire to market their tool's purported capabilities. The press release has since been syndicated across the service's partner news websites, primarily the USA TODAY Network. "Manipulating sentiment and reputation across crowd-sourced platforms marks a meaningful shift in how attackers build trust," Check Point said. "The same playbook of fake reputation and aggressive cross-platform promotion can easily distribute information stealers or ransomware to higher-value targets over time." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cryptocurrency, GitHub, Malware, Social Engineering, SourceForge, VirusTotal, WordPress, YouTube ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Indicators of Compromise

• malware — Rust-based clipper

Entities