Cybercriminals abused GitHub, YouTube and VirusTotal to push crypto-stealing malware
Cybercriminals conducted a campaign abusing GitHub, YouTube, and VirusTotal to distribute crypto-stealing malware disguised as legitimate cryptocurrency trading and gambling tools. The malware, targeting Windows and macOS, is a Rust-based clipboard hijacker that replaces copied cryptocurrency wallet addresses with attacker-controlled ones. The campaign used fake GitHub stars, coordinated accounts, inflated download counts, AI-narrated YouTube tutorials, and manipulated VirusTotal feedback to build trust and appear legitimate. Over 5,000 GitHub downloads and more than 44,000 SourceForge downloads were recorded, with significant activity from Pakistan and India. The attackers frequently rotated wallet addresses to evade detection. The campaign demonstrates advanced reputation manipulation techniques to spread malware beyond classic distribution methods.
AI Analysis
Technical Summary
This malware campaign involved distributing Rust-based clipboard hijackers through multiple platforms including GitHub, YouTube, VirusTotal, SourceForge, and a WordPress phishing site. The malware targets Windows and macOS systems, monitoring clipboard content for cryptocurrency wallet addresses and replacing them with attacker-controlled addresses from a large internal list of over 15,500 wallets across various cryptocurrencies. The attackers used coordinated fake accounts ('Ghost Networks') to inflate GitHub stars, forks, and download counts, and manipulated VirusTotal comments and votes to appear trustworthy. YouTube videos with AI-generated narration demonstrated the malicious tools to potential victims, further enhancing credibility. The campaign recorded thousands of downloads and showed geographic download anomalies, suggesting use of device farms to inflate metrics. Wallet addresses were frequently rotated to avoid detection after theft. This operation highlights evolving tactics in malware distribution leveraging reputation systems and cross-platform promotion.
Potential Impact
The malware steals cryptocurrency by hijacking clipboard data and substituting victim wallet addresses with attacker-controlled ones, potentially resulting in direct financial loss for victims. The campaign's use of multiple popular platforms and reputation manipulation increases the likelihood of victim infection. The frequent rotation of attacker wallets complicates tracking and mitigation efforts. The campaign affected both Windows and macOS users and achieved significant download volumes, indicating a broad impact. No direct evidence of exploitation in the wild beyond the campaign is provided.
Mitigation Recommendations
No official patch or fix is applicable as this is malware distributed via social engineering and reputation manipulation. Defenders should rely on threat intelligence indicators of compromise (IOCs) published by Check Point to detect related activity. Users should exercise caution when downloading cryptocurrency tools from GitHub, SourceForge, or other platforms, especially those with suspiciously high popularity metrics or promoted via unverified channels. Avoid using software promoted through manipulated reviews or AI-narrated tutorials without independent verification. Employ endpoint protection capable of detecting clipboard hijackers and monitor for unexpected wallet address substitutions. Since this campaign exploits trust and reputation systems, awareness and user education are critical.
Cybercriminals abused GitHub, YouTube and VirusTotal to push crypto-stealing malware
Description
Cybercriminals conducted a campaign abusing GitHub, YouTube, and VirusTotal to distribute crypto-stealing malware disguised as legitimate cryptocurrency trading and gambling tools. The malware, targeting Windows and macOS, is a Rust-based clipboard hijacker that replaces copied cryptocurrency wallet addresses with attacker-controlled ones. The campaign used fake GitHub stars, coordinated accounts, inflated download counts, AI-narrated YouTube tutorials, and manipulated VirusTotal feedback to build trust and appear legitimate. Over 5,000 GitHub downloads and more than 44,000 SourceForge downloads were recorded, with significant activity from Pakistan and India. The attackers frequently rotated wallet addresses to evade detection. The campaign demonstrates advanced reputation manipulation techniques to spread malware beyond classic distribution methods.
Reddit Discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This malware campaign involved distributing Rust-based clipboard hijackers through multiple platforms including GitHub, YouTube, VirusTotal, SourceForge, and a WordPress phishing site. The malware targets Windows and macOS systems, monitoring clipboard content for cryptocurrency wallet addresses and replacing them with attacker-controlled addresses from a large internal list of over 15,500 wallets across various cryptocurrencies. The attackers used coordinated fake accounts ('Ghost Networks') to inflate GitHub stars, forks, and download counts, and manipulated VirusTotal comments and votes to appear trustworthy. YouTube videos with AI-generated narration demonstrated the malicious tools to potential victims, further enhancing credibility. The campaign recorded thousands of downloads and showed geographic download anomalies, suggesting use of device farms to inflate metrics. Wallet addresses were frequently rotated to avoid detection after theft. This operation highlights evolving tactics in malware distribution leveraging reputation systems and cross-platform promotion.
Potential Impact
The malware steals cryptocurrency by hijacking clipboard data and substituting victim wallet addresses with attacker-controlled ones, potentially resulting in direct financial loss for victims. The campaign's use of multiple popular platforms and reputation manipulation increases the likelihood of victim infection. The frequent rotation of attacker wallets complicates tracking and mitigation efforts. The campaign affected both Windows and macOS users and achieved significant download volumes, indicating a broad impact. No direct evidence of exploitation in the wild beyond the campaign is provided.
Mitigation Recommendations
No official patch or fix is applicable as this is malware distributed via social engineering and reputation manipulation. Defenders should rely on threat intelligence indicators of compromise (IOCs) published by Check Point to detect related activity. Users should exercise caution when downloading cryptocurrency tools from GitHub, SourceForge, or other platforms, especially those with suspiciously high popularity metrics or promoted via unverified channels. Avoid using software promoted through manipulated reviews or AI-narrated tutorials without independent verification. Employ endpoint protection capable of detecting clipboard hijackers and monitor for unexpected wallet address substitutions. Since this campaign exploits trust and reputation systems, awareness and user education are critical.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":30,"reasons":["external_link","newsworthy_keywords:malware","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["malware"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a353e78f198dc38c14022ed
Added to database: 6/19/2026, 1:04:56 PM
Last enriched: 6/19/2026, 1:05:05 PM
Last updated: 6/19/2026, 3:26:49 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.