The long road to your crypto: ClipBanker and its marathon infection chain
Proxifiers are speciaized software designed to tunnel traffic for programs that do not natively support proxy servers. They are a go-to for making sure these apps are functional within secured development environments. By coincidence, Proxifier is also a name for a proprietary proxifier developed by VentoByte, which is distributed under a paid license. If you search for Proxifier (or a proxifier), one of the top results in popular search engines is a link to a GitHub repository. That’s exactly where the source of the primary infection lives.
AI Analysis
Technical Summary
ClipBanker malware is delivered through a trojanized Proxifier application hosted on GitHub, exploiting users searching for proxifier tools. Proxifier software is typically used to tunnel traffic for applications lacking native proxy support. The malware's infection chain is described as a marathon, indicating multiple stages or persistence mechanisms. The campaign targets cryptocurrency assets by compromising systems through this trojanized software. No CVE or vendor advisory is associated with this threat, and no official patch or fix is documented. Indicators include multiple file hashes and domains related to the malware infrastructure.
Potential Impact
The malware can compromise systems by masquerading as legitimate proxifier software, potentially leading to theft or manipulation of cryptocurrency assets. There are no reports of widespread exploitation or known active campaigns beyond the initial infection vector. The infection chain complexity suggests persistence and evasion capabilities, increasing the risk to affected users who download the trojanized software.
Mitigation Recommendations
No official patch or vendor advisory is available for this malware. Users should avoid downloading Proxifier software from unofficial or untrusted sources such as unverified GitHub repositories. Employing endpoint protection solutions that detect known ClipBanker hashes and monitoring for connections to identified malicious domains can help reduce risk. Since this is a malware infection vector rather than a software vulnerability, remediation focuses on user education and threat detection rather than patching.
Indicators of Compromise
- hash: 107484d66423cb601f418344cd648f12
- hash: 34a0f70ab100c47caaba7a5c85448e3d
- hash: 7528bf597fd7764fcb7ec06512e073e0
- hash: 8354223cd6198b05904337b5dff7772b
- hash: 15efe7c0a510950c753a9ec1a388d699b341a2c4
- hash: d85cef60cdb9e8d0f3cb3546de6ab657f9498ac7
- hash: fdae784b02b22916bf4bac1344b3e8e13f98996e3cd85f2daf171084983247e1
- domain: chiaselinks.com
- domain: rlim.com
- domain: git.parat.swiss
- domain: paste.kealper.com
- domain: pinhole.rootcode.ru
The long road to your crypto: ClipBanker and its marathon infection chain
Description
Proxifiers are speciaized software designed to tunnel traffic for programs that do not natively support proxy servers. They are a go-to for making sure these apps are functional within secured development environments. By coincidence, Proxifier is also a name for a proprietary proxifier developed by VentoByte, which is distributed under a paid license. If you search for Proxifier (or a proxifier), one of the top results in popular search engines is a link to a GitHub repository. That’s exactly where the source of the primary infection lives.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
ClipBanker malware is delivered through a trojanized Proxifier application hosted on GitHub, exploiting users searching for proxifier tools. Proxifier software is typically used to tunnel traffic for applications lacking native proxy support. The malware's infection chain is described as a marathon, indicating multiple stages or persistence mechanisms. The campaign targets cryptocurrency assets by compromising systems through this trojanized software. No CVE or vendor advisory is associated with this threat, and no official patch or fix is documented. Indicators include multiple file hashes and domains related to the malware infrastructure.
Potential Impact
The malware can compromise systems by masquerading as legitimate proxifier software, potentially leading to theft or manipulation of cryptocurrency assets. There are no reports of widespread exploitation or known active campaigns beyond the initial infection vector. The infection chain complexity suggests persistence and evasion capabilities, increasing the risk to affected users who download the trojanized software.
Mitigation Recommendations
No official patch or vendor advisory is available for this malware. Users should avoid downloading Proxifier software from unofficial or untrusted sources such as unverified GitHub repositories. Employing endpoint protection solutions that detect known ClipBanker hashes and monitoring for connections to identified malicious domains can help reduce risk. Since this is a malware infection vector rather than a software vulnerability, remediation focuses on user education and threat detection rather than patching.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/clipbanker-malware-distributed-via-trojanized-proxifier/119341/"]
- Adversary
- null
- Pulse Id
- 69d77818426ba84dc9eb0371
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash107484d66423cb601f418344cd648f12 | — | |
hash34a0f70ab100c47caaba7a5c85448e3d | — | |
hash7528bf597fd7764fcb7ec06512e073e0 | — | |
hash8354223cd6198b05904337b5dff7772b | — | |
hash15efe7c0a510950c753a9ec1a388d699b341a2c4 | — | |
hashd85cef60cdb9e8d0f3cb3546de6ab657f9498ac7 | — | |
hashfdae784b02b22916bf4bac1344b3e8e13f98996e3cd85f2daf171084983247e1 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainchiaselinks.com | — | |
domainrlim.com | — | |
domaingit.parat.swiss | — | |
domainpaste.kealper.com | — | |
domainpinhole.rootcode.ru | — |
Threat ID: 69d7edfe1cc7ad14da04a129
Added to database: 4/9/2026, 6:20:46 PM
Last enriched: 4/9/2026, 6:36:28 PM
Last updated: 4/10/2026, 5:42:59 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.