Fake Solana Bots and Crash Predictors Push Rust Clipboard Hijacker via GitHub, SourceForge, and YouTube
A Rust-based clipboard hijacker campaign is luring cryptocurrency traders and online gamblers with fake sniper bots and crash predictors promoted through GitHub, SourceForge, and AI-generated YouTube content.
Check Point Research has uncovered a sophisticated Rust-based clipboard hijacker campaign that targets cryptocurrency users and online gamblers. The operation, tracked by the researchers, relies on a multi-platform social engineering strategy to distribute malware disguised as legitimate trading tools. The attack begins with a dedicated WordPress phishing page that promotes fake Solana sniper bots, Pump.fun automated trading tools, and Aviator crash-game predictors, all promising unfair advantages to users chasing quick profits.
The threat actor has built an extensive cross-platform ecosystem to lend credibility to these fraudulent tools. At least six GitHub accounts and several SourceForge projects host the malicious binaries, with artificially inflated star counts, forks, and download numbers generated by networks of fake accounts. A YouTube channel featuring AI-generated narrators and suspicious view spikes further reinforces the illusion of legitimacy, alongside coordinated comments that appear to be from real users.
The social engineering extends to VirusTotal, where some samples from this campaign have received benign votes and "safe" comments from fake accounts. This manipulation, combined with the malware's low initial detection rate, creates a misleading impression of safety that can mislead both end users and reputation-based detection systems. Additionally, the actor has promoted these tools through paid or compromised posts on legitimate news websites, placing the malware alongside trusted content.
Once victims download and execute the promised tool, they receive a Rust-based clipboard hijacker compiled for both Windows and macOS. The binary establishes persistence on the infected machine and continuously monitors the system clipboard for strings that match cryptocurrency wallet address patterns. When detected, the malware automatically replaces the victim's intended wallet address with an attacker-controlled address from a large embedded list, redirecting cryptocurrency payments to the threat actor's wallets.
The attacker-controlled wallets have already received multiple transactions, indicating significant illicit gains from the campaign. The researchers estimate that over 5,000 downloads have occurred from GitHub alone, with more than 1,250 of those associated with the macOS version of the Aviator Predictor tool. This demonstrates the campaign's broad reach across both major desktop operating systems and its focus on users who are actively seeking automated trading and gambling advantages.
The campaign's multi-platform approach represents an evolution in social engineering tactics for malware distribution. By leveraging fake reputation signals across GitHub, SourceForge, YouTube, and VirusTotal simultaneously, the threat actor creates a convincing veneer of legitimacy that is difficult for users to verify independently. Check Point's research underscores the growing sophistication of cryptocurrency-targeting campaigns and the need for users to vet software sources carefully, particularly when promises of automated profits are involved.