Rust Clipboard Hijacker Abuses GitHub and VirusTotal

Pulse ID: 6a369bedfce92de92c80fa34
Pulse Link: https://otx.alienvault.com/pulse/6a369bedfce92de92c80fa34
Pulse Author: cryptocti
Created: 2026-06-20 13:55:57

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Clipboard #CyberSecurity #GitHub #InfoSec #OTX #OpenThreatExchange #Rust #VirusTotal #bot #cryptocti

Crypto Clipper uses Tor and worm-like propagation for persistence and control

A Windows-based cryptocurrency clipper has been actively targeting users since February 2026, employing sophisticated techniques to steal digital assets. The malware propagates through malicious shortcut files on USB devices, creating a worm-like infection chain. Once deployed, it utilizes Windows Script Host and ActiveX to launch a bundled Tor proxy client, enabling anonymous communication with hidden-service command and control servers. The clipper performs high-frequency clipboard monitoring to intercept cryptocurrency wallet addresses, seed phrases, and private keys, replacing them with attacker-controlled alternatives. Additionally, it captures screenshots for context and maintains persistent access through scheduled tasks. The threat demonstrates advanced capabilities including remote code execution, making it more than a simple stealer by functioning as a lightweight backdoor. The malware employs multiple defense evasion techniques including multi-layer obfuscation, anti-analysis checks, and local S...

Pulse ID: 6a33628ba6068a0dfc61732a
Pulse Link: https://otx.alienvault.com/pulse/6a33628ba6068a0dfc61732a
Pulse Author: AlienVault
Created: 2026-06-18 03:14:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Clipboard #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #Proxy #RAT #RCE #RemoteCodeExecution #Troll #USB #Windows #Worm #bot #cryptocurrency #AlienVault

Crypto Clipper uses Tor and worm-like propagation for persistence and control - https://www.redpacketsecurity.com/crypto-clipper-uses-tor-and-worm-like-propagation-for-persistence-and-control/

#threatintel
#crypto-clipper
#malware-analysis
#tor
#clipboard-theft
#wallet-attack

A New Android Banking Trojan Capable of Full Device Takeover

Rokarolla is a newly discovered Android banking trojan targeting 217 banking and cryptocurrency apps using 137 remote commands, enabling credential theft, SMS interception, clipboard hijacking, screen surveillance and complete device takeover by remote operators.

Pulse ID: 6a31e2e365dfe98aa223a2d0
Pulse Link: https://otx.alienvault.com/pulse/6a31e2e365dfe98aa223a2d0
Pulse Author: cryptocti
Created: 2026-06-16 23:57:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #BankingTrojan #Clipboard #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #RCE #SMS #Trojan #bot #cryptocurrency #cryptocti

Android Banker with Complete Device Takeover Capabilities

A newly identified Android banking trojan named Rokarolla has been discovered, distributed through malicious websites masquerading as popular applications like TikTok or Google Chrome. The malware targets 217 distinct cryptocurrency and banking applications using 137 sophisticated commands for device control. Capabilities include harvesting lock screen credentials, exfiltrating contact lists and SMS data, deploying keyloggers, blocking calls, creating fraudulent screen overlays, and disabling Google Play Protect. The infection begins with a dropper impersonating Google Play Protect that installs a secondary payload. Rokarolla communicates with C2 infrastructure via HTTPS, uses overlays to steal banking credentials and device unlock patterns, silently monitors WhatsApp contacts, hijacks SMS and calls, manipulates clipboard content for cryptocurrency theft, and employs snapshot-based screen surveillance. It maintains persistence by hiding its icon, muting device audio, and keeping screens active indefinitely.

Pulse ID: 6a315d684f0c09972ddea652
Pulse Link: https://otx.alienvault.com/pulse/6a315d684f0c09972ddea652
Pulse Author: AlienVault
Created: 2026-06-16 14:27:52

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #BankingTrojan #Chrome #Clipboard #CyberSecurity #Google #GooglePlay #HTTP #HTTPS #InfoSec #KeyLogger #Malware #OTX #OpenThreatExchange #RAT #SMS #Trojan #WhatsApp #bot #cryptocurrency #AlienVault

SilabRAT, What's Your Power?

SilabRAT is an advanced Remote Access Trojan offered as Malware-as-a-Service on Darkweb forums since late 2025, developed by threat actor o1oo1 and sold for $5,000 monthly. This financially-motivated tool focuses on credential theft and cryptocurrency operations, featuring Hidden Virtual Network Computing for invisible remote control, browser profile cloning to bypass session protections, and automated cryptocurrency wallet password cracking. The RAT bypasses Chrome App-Bound Encryption, performs session hijacking, and includes keylogging, clipboard monitoring, and remote desktop capabilities. Distributed through phishing and ClickFix campaigns with operator-hosted infrastructure, SilabRAT uses ChaCha20-Poly1305 encryption for command-and-control communications. The developer also offers AsmCrypt, a companion crypter service, creating a complete malware bundle from evasion to execution and remote control.

Pulse ID: 6a2951665d658e753b489765
Pulse Link: https://otx.alienvault.com/pulse/6a2951665d658e753b489765
Pulse Author: AlienVault
Created: 2026-06-10 11:58:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChaCha20 #Chrome #Clipboard #CyberSecurity #Encryption #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #Password #Phishing #RAT #RemoteAccessTrojan #Trojan #Word #bot #cryptocurrency #AlienVault

Ship log for Yank, week of Jun 8:

• Silent auto-update on launch (Tauri v2 updater + signing key, losing that key is one-way, by the way)
• Subtle GitHub Issues link in the Tweaks panel
• v0.7.35 released

Deliberately taking a polish-week before the next big feature. A clipboard manager earns trust by being boring most of the time.

https://tryyank.com · MIT

#rust #tauri #foss #opensource #devtools #clipboard

If your #Windows #Clipboard suddenly isn't working anymore and you are using the #OSS catastrophe known as #Gimp 3, close it and see if that fixes it.

I just wasted a decent amount of time figuring that one out. Gimp can break the Windows clipboard while it's open.

ClickFix Deno Abuse to CastleRAT

Activity began with a ClickFix-style social engineering chain that led to MSI execution, PowerShell staging, and installation/use of Deno to run attacker-controlled JavaScript. Follow-on activity downloaded a portable Python runtime, `install.pyc`, and an encrypted `.MOa` container, which was later decrypted to recover a 64-bit Windows PE payload. Analysis of the recovered payload showed Steam Community being used as a dead-drop resolver for C2, with the profile title resolving to `smokeenew[.]com`, while `ip-api.com` was used for victim network/geolocation profiling. The payload also contained logic for browser/wallet data collection, clipboard/keylogging-related capabilities, Defender exclusions, UAC bypass/relaunch behavior through `ComputerDefaults.exe`, and a C2-tasked mechanism to receive and install an additional `Krutyak.zip` / `usbmmidd_v2` component. Recommendations: Block artifacts where applicable.

Pulse ID: 6a21aa7db4b7cf1351f27cb6
Pulse Link: https://otx.alienvault.com/pulse/6a21aa7db4b7cf1351f27cb6
Pulse Author: AlienVault
Created: 2026-06-04 16:40:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Clipboard #CyberSecurity #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PowerShell #Python #RAT #SocialEngineering #Steam #Troll #USB #Windows #ZIP #bot #AlienVault