Privacy Ninja

Hackers Steal from Hackers by Pushing Fake Malware on Forums

Hackers Steal from Hackers by Pushing Fake Malware on Forums

Security analysts from two companies have spotted a new case of hackers targeting hackers via clipboard stealers disguised as cracked RATs and malware building tools.

Clipboard stealers are quite common, typically used to monitor the clipboard content of a victim to identify cryptocurrency wallet addresses and replace them with one belonging to the malware operator.

This allows attackers to hijack financial transactions on the fly, and transfer the money to their accounts. These stealers focus on the more popular cryptocurrencies, like Bitcoin, Ethereum, and Monero.

Cracked RATs

Researchers at ASEC noticed fake offers of clipboard stealers on hacking forums such as ‘Russia black hat.’ The crooks lured aspiring hackers with cracked versions of BitRAT and Quasar RAT, both commodity malware that normally comes with a price tag of $20-$100.

Also Read: What is Smishing? How Can We Prevent It? Explained.

Threat actors promoting a cracked Quasar RAT
Threat actors promoting a cracked Quasar RAT (ASEC)

Those who attempt to download any of the offered files are directed to an Anonfiles page that delivers a RAR archive which is supposedly a builder for the selected malware.

The “crack.exe” file contained in these archives is, in reality, a ClipBanker installer, which copies the malicious binary to the startup folder and executes it on the first reboot.

Fake crack file dropping ClipBanker
Fake crack file dropping ClipBanker (ASEC)

AvD Crypto Stealer

A second report on fake stealers comes from Cyble, whose analysts found on a cybercrime forum an offering of a free month of AvD Crypto Stealer.

AvD Crypto Stealer on a hacking forum
AvD Crypto Stealer on a hacking forum (Cyble)

In this case too, the victims download what is supposedly a malware builder and launch an executable named ‘Payload.exe’, assuming this will grant them free access to the crypto stealer.

Also Read: 5 Signs On How to Know if Ransomware is on Your Computer

This action ends up infecting their systems with a clipper that targets Ethereum, Binance Smart Chain, Fantom, Polygon, Avalanche, and Arbitrum.

Cyble has found that the Bitcoin address hardcoded on this particular variant sample has received 1.3 BTC (about $54,000) by hijacking 422 transactions.

Crypto addresses used in the analyzed clipper
Crypto addresses used in the analyzed clipper (Cyble)

Crooks preying upon crooks

While hackers targeting regular users is the normal condition, it’s not unusual to see hackers attempting to scam other hackers, sometimes hitting the jackpot.

Inexperienced or careless threat actors tend to jump at the opportunity of free malware they find on obscure or poorly moderated websites and execute them on their systems without a second thought.

These victims may sometimes hold cryptocurrency obtained from various malicious activities.

While these campaigns don’t solve any of the underlying problems for regular internet users, they constitute another key reason of why joining the cybercrime space is a bad idea.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.

Powered by WhatsApp Chat

× Chat with us