- Malicious actors are creating a “fake reputation economy” by using coordinated reviews, social media buzz, and paid news articles to promote malware.
- The goal is to distribute a Rust-based cryptocurrency clipboard hijacker that steals crypto by replacing wallet addresses in the clipboard.
- The campaign employs a sophisticated cross-platform network, including fake GitHub accounts, a YouTube channel with 91k subscribers, and even promoted press releases.
- Attackers are manipulating platforms like VirusTotal and SourceForge with fake upvotes and inflated download counts to appear legitimate.
An unknown threat actor has been orchestrating a sophisticated malware campaign since at least June 2026, leveraging paid posts on legitimate news sites and a multi-platform strategy to build fake credibility. This elaborate operation, detailed by Check Point Research, specifically targets cryptocurrency users and online gamblers seeking profit shortcuts.
The ultimate payload is a Rust-based clipboard hijacker that runs on both Windows and macOS systems. This malware continuously monitors the clipboard, substituting any detected cryptocurrency wallet addresses with attacker-controlled ones from a hard-coded list.
Consequently, the campaign’s success hinges entirely on building deceptive trust through synthetic engagement. The threat actor operates at least six GitHub accounts to cross-promote malicious repositories, with one gaining 146 stars and 62 forks.
Furthermore, they artificially inflated a SourceForge download counter to 44,485, with suspicious activity suggesting the use of an Android farm. Meanwhile, a dedicated YouTube channel with over 91,000 subscribers features AI-narrated tutorial videos to lend further legitimacy.
Perhaps most unusually, the actor utilized a press release distribution service, EIN Presswire, to market the tools. This release was subsequently syndicated across partner news websites, primarily within the USA TODAY Network.
This manipulation extends to reputation-driven security platforms as well. The actor uses ghost networks to poison systems like VirusTotal with positive comments and upvotes, aiming to misclassify malicious files as safe.
Check Point summarized this approach, stating, “To push a malicious ‘tool,’ a single threat actor borrowed the same playbook legitimate brands use to build buzz.” They warned this fake reputation economy represents a significant shift in how attackers establish trust before deploying malware.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
