New MassJacker Malware Targets Users Pirating Software, Steals Over $336,000 in Cryptocurrency

Cryptocurrency users face a growing threat from a newly discovered malware strain designed to hijack digital asset transfers through clipboard manipulation. Security researchers at CyberArk have identified "MassJacker," a sophisticated clipper malware targeting individuals who search for pirated software, with stolen funds already approaching $340,000.

The malware operates by monitoring victims’ clipboard content and automatically replacing cryptocurrency wallet addresses with attacker-controlled alternatives, effectively redirecting transactions to malicious wallets instead of intended recipients.

According to CyberArk researcher Ari Novick, "The infection chain begins at a site called pesktop[.]com. This site, which presents itself as a site to get pirated software, also tries to get people to download all sorts of malware."

The attack sequence initiates when users download what appears to be pirated software. The executable then triggers a PowerShell script that delivers multiple payloads, including the established Amadey botnet and two specialized .NET binaries (32-bit and 64-bit versions). These components work together to install the MassJacker clipper, using a legitimate Windows process ("InstalUtil.exe") as cover for its malicious activities.

MassJacker represents a type of Microsoft-warns-of-cryware-info.html”>cryware (a term coined by Microsoft) specifically designed to intercept cryptocurrency transactions. This particular strain employs several advanced evasion techniques, including:

• Just-In-Time (JIT) hooking to evade detection
• Metadata token mapping that conceals function calls
• A custom virtual machine interpreting commands rather than executing standard .NET code
• Built-in anti-debugging protections

"MassJacker creates an event handler to run whenever the victim copies anything," explained Novick. "The handler checks the regexes, and if it finds a match, it replaces the copied content with a wallet belonging to the threat actor from the downloaded list."

The financial impact appears substantial. CyberArk’s investigation revealed over 778,531 unique cryptocurrency addresses controlled by the attackers. While only 423 addresses contained active funds totaling approximately $95,300, the researchers determined that the total value of digital assets processed through these wallets reached approximately $336,700 before being transferred out.

Most concerning, a single wallet in the network currently holds approximately $87,000 (600 SOL), with over 350 separate transactions funneling money into this address from various sources.

Although the operators behind MassJacker remain unidentified, analysis of the malware’s code structure revealed significant similarities with MassLogger, another malicious tool that employs similar JIT hooking techniques to resist analysis. This connection potentially indicates shared development resources or methodologies.

The discovery of MassJacker joins increasing warnings about Binance-warns-of-rising-clipper-malware.html”>clipper malware targeting cryptocurrency users, highlighting the continued evolution of threats aimed at digital asset holders.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Trump-Backed World Liberty Financial Closes Token Sale After Raising $590 Million
• Three Arrows Capital Liquidators Win Approval to Increase FTX Claim to $1.53 Billion
• RBA Governor Admits No Power to Probe Excessive Payment Surcharges
• Russia Turns to Cryptocurrencies to Evade Western Sanctions in Oil Trade
• Vermont Drops Case Against Coinbase Over Staking Services