A threat actor is running a crypto clipper malware campaign using fake reviews on legitimate news sites, AI-generated YouTube content, and GitHub/SourceForge projects to lend credibility to malicious software. The campaign uses a WordPress phishing hub and VirusTotal comment sections to spread links, targeting users into downloading malware that silently replaces cryptocurrency wallet addresses to redirect funds. This matters because it abuses trusted platforms to evade detection and build false legitimacy.

Security Architect’s Take: Review your organisation’s endpoint controls and browser security policies to detect clipboard-manipulation malware; ensure developer workstations have application allowlisting and block untrusted executables sourced from GitHub or SourceForge without internal vetting. Consider adding VirusTotal comment sections and YouTube to your threat intelligence monitoring for emerging malware distribution channels.

Original advisory: Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments