A Trusted Tool Becomes a Trojan Horse
Imagine searching for a legitimate piece of software, finding it on a trusted platform like GitHub, and installing it only to discover you’ve been thoroughly compromised. That’s the precise scenario unfolding for users seeking the Proxifier proxy utility. A sophisticated campaign is using a counterfeit Proxifier installer hosted on GitHub as the initial payload in a long and deceptive infection chain, ultimately delivering a dangerous cryptocurrency-stealing malware known as ClipBanker. The operation is a masterclass in social engineering, leveraging the reputation of both a useful tool and a major code repository to bypass user suspicion.
The Deceptive GitHub Landing Page
The attack begins with a simple search. A user looking for “Proxifier” is directed to a GitHub repository that, on the surface, appears completely normal. It mimics a genuine software project, complete with release files that seem to offer the installer and a helpful text file containing activation keys. This attention to detail is what makes the trap so effective; the package looks useful and legitimate, disarming the careful scrutiny that might be applied to a download from a more obscure corner of the web.
Once executed, the installer doesn’t just install Proxifier. Its first priority is to systematically weaken the system’s defenses. It creates a small temporary file, injects code into it, and uses this “donor” process to launch a hidden PowerShell script. The script’s mission is critical: add exclusions in Microsoft Defender for temporary files and the installer’s own folder. By doing this upfront, the malware ensures its subsequent activities fly under the radar of the built-in antivirus, a clever and calculated first move.
The Multi-Stage Infection Unfolds
After this initial fortification, the Trojan displays a key piece of misdirection. It launches the *real* Proxifier installer. The user sees the expected software installing and functioning normally, which effectively eliminates any immediate alarm. While the victim is placated by a working program, the real attack continues in the background, hidden from view.
The malware creates another donor process, injects a second module, and uses it to trigger a system utility that runs yet another obfuscated script. These scripts have straightforward, malicious goals: they further expand the Defender exclusions, store an encoded PowerShell command in the Windows Registry, and schedule a task to run more malicious code later. This layered approach, where each stage sets up the next, makes the entire operation resilient and difficult to trace.
From Scheduled Task to In-Memory Payload
The scheduled task acts as the next link in the chain. It reads the encoded command from the registry, decodes it, and executes it via PowerShell. This stage then reaches out to hardcoded online locations, including GitHub and Pastebin-style services, to download another large, obfuscated script. After more decoding, this script finally executes the ultimate payload entirely in memory.
This final payload is ClipBanker, a clipboard hijacker written in C++. Its function is simple yet devastating for cryptocurrency users. It runs silently, monitoring the system clipboard for any text that resembles a cryptocurrency wallet address. When it detects one, it silently replaces it with an address controlled by the attacker. The user, believing they are copying a legitimate address to send funds, instead pastes the thief’s address, irrevocably diverting the transaction.
The Broad Reach of ClipBanker
The malware’s target list is notably comprehensive, showing the attackers’ intent to cast a wide net. It doesn’t just focus on Bitcoin or Ethereum. The code is configured to hijack addresses for a plethora of major blockchain networks, including Monero, Solana, and TRON. This makes the threat particularly dangerous for traders, vendors, or anyone routinely moving digital assets. A single copy-paste action could result in significant, unrecoverable loss.
As a final insult, the infection chain includes a call to an IP logger service. This allows the attackers to receive a simple ping, confirming that the malware has been successfully deployed on a new system. It’s a crude but effective form of telemetry for the criminals.
The Scale of the Campaign
According to research from Kaspersky’s Securelist team, this campaign is not a small-scale test. Their systems have reported over 2,000 detections among their user base since the start of 2025, with the highest concentration of victims in India and Vietnam. Perhaps the most telling statistic is that many of these detections came from the company’s free cleanup tool. This strongly suggests that once the infection takes hold, removal is a common user recourse, highlighting that prevention is vastly preferable to the cure in these scenarios.
Looking Ahead: A New Normal for Software Trust?
This campaign underscores a troubling evolution in software supply chain attacks. Platforms like GitHub, which are foundational to modern development, are now being weaponized as distribution points. The implicit trust users place in these platforms creates a powerful vulnerability. For developers and tech-savvy users, the lesson is to maintain a healthy skepticism even when sources appear reputable. Verifying publisher signatures, checking repository histories and contributor profiles, and using comprehensive security software are no longer optional practices; they are essential layers of defense in a landscape where the tools we rely on can be turned against us. The next wave of threats may not come from shady websites, but from perfectly forged replicas in the places we least expect.
