Skip to main content
Sign in

Rust Crypto Clipper Malware — Fake GitHub Stars Campaign

avoid.net/rust-crypto-clipper-malware-fake-github-stars-campaign0/100·92% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·52DerZ…HFgG

Summary

An active malware campaign discovered by Check Point Research in June 2026 distributes a Rust-based cryptocurrency clipboard hijacker for Windows and macOS disguised as crypto trading tools and gambling predictors. The operation manufactured false legitimacy through coordinated fake GitHub star networks, AI-narrated YouTube tutorials, inflated VirusTotal ratings, and a SourceForge page showing over 44,000 downloads, achieving more than 5,000 confirmed genuine GitHub downloads. The clipper silently replaces copied wallet addresses with attacker-controlled addresses drawn from an embedded list of over 15,500 addresses, primarily Bitcoin.

Connected Entities

1 entities · 10 linked investigations
Organizations
Rust Crypto Clipper Malware — Fake GitHub Stars Campaign
Relationships
    Also appears in
    Mach-O Man Malware Campaign (Lazarus / Chollima)·0Shunda Park Scam Compound·0Lucifer Drainer·0node-gyp npm Supply Chain Compromise (June 2026)·0Tudou Guarantee Telegram Marketplace·0Drift Protocol DPRK Exploit (April 2026)·8Fake MetaMask Update Phishing Campaign (May 2026)·0Sanduo Group / Giant Company·0TraderTraitor / UNC4899·0AudiA6 Crypto Laundering Service·0
    Have evidence about Rust Crypto Clipper Malware — Fake GitHub Stars Campaign?

    Timeline(7 events)

    2019-01-01

    Threat actor operating under the handle '@JoseCmanXD' first identified as active on a hacking forum. Exact date within 2019 not specified in public reporting.

    Check Point Research

    2020-07-01

    YouTube channel later used to promote the malware campaign was created. Exact date within July 2020 not specified.

    Check Point Research

    2022-01-01

    Actor '@JoseCmanXD' posted thread on a hacking forum titled 'BLACKHAT | Bitcoin Stealer | Advanced Builder | Tutorial | Clipper [Address Changer]+Re-Fud method,' sharing a malicious crypto-related tool. Exact date within 2022 not specified.

    Check Point Research

    2026-04-27

    Coordinated promotional articles promoting the malicious tools were published simultaneously across multiple legitimate news websites, distributed via EIN Presswire and syndicated to USA TODAY Network partner outlets.

    Check Point Research

    2026-06-18

    GBHackers and Infosecurity Magazine publish coverage of the campaign based on Check Point findings.

    Infosecurity Magazine

    2026-06-19

    Check Point Research publishes full technical report 'From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker,' disclosing the campaign with indicators of compromise. Help Net Security also publishes coverage.

    Check Point Research

    2026-06-19

    The Hacker News and Cybersecurity News publish coverage of the campaign, expanding public awareness of the malicious GitHub accounts, SourceForge page, and YouTube channel.

    The Hacker News
    Provenance & Audit Trail
    Anchored on SolanaVerify on-chain

    Decision Log

    This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

    full audit log →version history →

    model: claude-sonnet-4-6

    generated: 6/21/2026, 5:33:05 PM

    last updated: 6/21/2026, 5:33:17 PM

    avoid.net — verified advice for a post-truth world