{“lastseen”:”2026-04-09T10:10:19″,”description”:”\\n\\nAt the start of the year, a certain Trojan caught our eye due to its incredibly long infection chain. In most cases, it kicks off with a web search for \\”Proxifier\\”. Proxifiers are speciaized software designed to tunnel traffic for programs that do not natively support proxy servers. They are a go-to for making sure these apps are functional within secured development environments.\\n\\nBy coincidence, Proxifier is also a name for a proprietary proxifier developed by VentoByte, which is distributed under a paid license.\\n\\nIf you search for Proxifier (or a proxifier), one of the top results in popular search engines is a link to a GitHub repository. That’s exactly where the source of the primary infection lives.\\n\\n\\n\\nThe GitHub project itself contains the source code for a rudimentary proxy service. However, if you head over to the Releases section, you’ll find an archive containing an executable file and a text document. That executable is actually a malicious wrapper bundled around the legitimate Proxifier installer, while the text file helpfully offers activation keys for the software.\\n\\n\\n\\nOnce launched, the Trojan’s first order of business is to add an exception to Microsoft Defender for all files with a TMP extension, as well as for the directory where the executable is sitting. The way the Trojan pulls this off is actually pretty exotic.\\n\\nFirst, it creates a tiny stub file \u2013 only about 1.5 KB in size \u2013 in the temp directory under the name \\”Proxifier\\u003c???\\u003e.tmp\\” and runs it. This stub doesn’t actually do anything on its own; it serves as a donor process. Later, a .NET application named \\”api_updater.exe\\” is injected into it to handle the Microsoft Defender exclusions. To get this done, api_updater.exe decrypts and runs a PowerShell script using the PSObject class. PSObject lets the script run directly inside the current process without popping up a command console or launching the interpreter.\\n\\n\\n\\nAs soon as the required exclusions are set, the trojanized proxifier.exe extracts and launches the real Proxifier installer. Meanwhile, it quietly continues the infection in the background: it creates another donor process and injects a module named proxifierupdater.exe. This module acts as yet another injector. It launches the system utility conhost.exe and injects it with another .NET app, internally named \\”bin.exe\\”, which runs a PowerShell script using the same method as before.\\n\\n\\n\\nThe script is obfuscated and parts of it are encoded, but it really only performs four specific actions:\\n\\n * Add the \\”powershell\\” and \\”conhost\\” processes to Microsoft Defender exclusions.\\n * Create a registry key at _HKLM\\\\SOFTWARE\\\\System::Config_ and store another Base64-encoded PowerShell script inside it.\\n * Set up a scheduled task to launch PowerShell with another script as an argument. The script’s task is to read the content of the created registry key, decode it, and transfer control to the resulting script.\\n * Ping an IP Logger service at https[:]\/\/maper[.]info\/2X5tF5 to let the attackers know the infection was successful.\\n\\n\\n\\nThis wraps up the primary stage of the infection. As you can see, the Trojan attempts to use fileless (or bodiless) malware techniques. By executing malicious code directly in allocated memory, it leaves almost no footprint on the hard drive.\\n\\nThe next stage is launched along with the task created in the scheduler. This is what it looks like:\\n\\n\\n\\nThe task launches the PowerShell interpreter, passing the script from the arguments as input. As we already mentioned, it reads the contents of the previously created Config registry key, then decodes and executes it. This is yet another PowerShell script whose job is to download the next script from hardcoded addresses and execute it. These addresses belong to Pastebin-type services, and the content located there is encoded in several different ways at once.\\n\\n\\n\\nDecoded and deobfuscated script from the Config registry key\\n\\nThe script from Pastebin continues the download chain. This time, the payload is located on GitHub.\\n\\n\\n\\nDecoded script from Pastebin\\n\\nIt’s a massive script, clocking in at around 500 KB. Interestingly, the bulk of the file is just one long Base64 string. After decoding it and doing some deobfuscation, we end up with a script whose purpose is quite clear. It extracts shellcode from a Base64 string, launches the fontdrvhost.exe utility, injects the shellcode into it, and hands over control.\\n\\n\\n\\nThe shellcode, in turn, unpacks and sets up the code for the final payload. This is classic ClipBanker-like malware, and there’s nothing particularly fancy about it. It’s written in C++, compiled with MinGW, doesn’t bother with system persistence, and doesn’t even connect to the network. Its entire job is to constantly monitor the clipboard for strings that look like crypto wallet addresses belonging to various blockchain-based networks (Cardano, Algorand, Ethereum, Bitcoin, NEM, Stellar, BNB, Cosmos, Dash, Monero, Dogecoin, MultiversX, Arweave, Filecoin, Litecoin, Neo, Osmosis, Solana, THOR, Nano, Qtum, Waves, TRON, Ripple, Tezos, and ZelCash), and then swap them with the attackers’ own addresses.\\n\\nHere is the full list of replacement addresses:\\n \\n \\n addr1qxenj0dwefgmp9z4t4dgek3yh3d8cfzcl6u97x2ln8c4nljjv7xdw2u0jhfdy90arm0xr0das4kznrh8qj33dzu8z5fqdtusyt\\n QSAROFQNKPXKKDNK67N5MQY5IQ4MTKGLI65KREVHKW53R2M6WHORP3ME2E\\n 0x97c16182d2e91a9370d5590b670f6b8dc755680552e40218a2b28ec7ad105071\\n qrherxuw7fupud48l9xwvdcg7w64g8g7xvls9vgqyq\\n bc1q88r38gk8ynrhdfur7yefwf5hrn2y56s90vlrvq\\n 36vf1gvZSxHkRRhAFiH6fotVWYEwH3tk22\\n 14U9sBVDRyEfPgR8h9QJatwtrodey4NeH4\\n bc1phfm9d0fpqtgr9hkrxx5ww9k2qzww59q5czga95rtmk6vh5h8devsa72fxk\\n btg1qqfrsueknwmg92xrpch22wru0g4ka4p2vum3pdj\\n AcRjmRuDswUeQHtxJnzAn496r9Lo8XQjUK\\n GW9DJpw4mBJnVUWucX3szdH5bXZ9pqzLRF\\n bnb18nqx60dx6dhhsdyddcl0653392w0v4yhx07knl\\n cosmos10zqq0frph0rs36wwjg4r2r5626m6a2dgv3h6nv\\n DskZFNcs5MKg9EdvhAnu87YGzWwVoBvd2tZ\\n Xj3KofSCPq97odR8hiFjfeZs2FqbwUbstk\\n DJYXgJuBrc7cuGn4sgJXz1sdArKURkoWS9\\n erd14n38wkxm9epjh0s2y8078yqqzy4ztq9ckczy883dwcfgd54peaqs3tp2k2\\n a2dB176hgduQopnJPrEGjfojRWSHwTS62Q\\n f1qxoyqf3va2mwfbgzah3t7pqe7x5fmdev5dqc25a\\n inj1qw709q8utgjhxrs2cqczhmz2w254dedllzmlef\\n ltc1q4calyk5x5g36ckpsrcr6ndtxdlc0ea9qs4h44n\\n MCB8j9kXkX3f3BoXaBcsDc9RFoki9Kb3AR\\n LhMGEmEGwxcGhCEQ7QmbC1hywRbHbbv6p8\\n 14FBxuV8HEuuWPFoFHbbG4Hm4pa7CqroQiGDeWvZdGiiJm8W\\n osmo10zqq0frph0rs36wwjg4r2r5626m6a2dgy2y297\\n 7ATuKGME8AG9Tz5Qe4eRf1EAwqJNUvYXMiCGmtSbaJXR\\n thor12x0nqpjz2djpuaxm2j2z963sawdcze3nhxacyu\\n EQA28DFYnisowE0e49Sp2DUv6RKQWOJGbvegKWRPXE83bMnQ\\n nano_1j9mjyi4q8qytb1r7yyqntzkyay5xo1wznnwmy9a3p9r371zb3d6wr6xs8y5\\n QXwbqRnmxgmMZQk5WEvMYEBVzf1MP4eMY9\\n 3P7zSKMhfMPr5kd85xtHNmCx2gi9apCgnSP\\n TNkGLYwtjcSk2A9U8cxJzttGeGEgz56hSP\\n GB4XWREV3WOXWIWFE3DVX3FUNUXLOC7EEGXHZXRUKI5AMZAG3SV7EV4P\\n 46QtL5btfnq85iGrPDFabp4mxGhRbEZJaH67i5LhQsWhCnuiURKVU74QbMpf4TcZqgDnENMWaqhpt82vQSEdyBf4Tp1v8Y9\\n rKwSuwgNNWn8P8x1ckUopKkErnPW3tVrz9\\n tz1cPNzMxTsLzV1Gca2VowGgjRm7MkRzGLw5\\n t1Nwwai9UsQxcgJVVbssnmfjfznhbq2v8ud\\n ZEPHYR2tzMbbkY7CCsShtADqstJLEeZfEiDHQeRchSg8FoqAn2XzsDD8eEEx5cweBQb4jX12DhfPz36c6TD6uV9fPrcFMqwzTn93Y\\n\\nThe complete execution chain, from the moment the malicious installer starts until the ClipBanker code is running, looks like this:\\n\\n\\n\\n## Victims\\n\\nSince the beginning of 2025, more than 2000 users of Kaspersky solutions have encountered this threat, most of them located in India and Vietnam. Interestingly, 70% of these detections came from the Kaspersky Virus Removal Tool, a free utility used to clean devices that are already infected. This underscores the importance of the preemptive protection: it is often cheaper and easier to prevent the infection than to face consequences of a successful attack.\\n\\n## Conclusion\\n\\nThis campaign is yet another perfect example of the old adage: \\”buy cheap, pay twice\\”. Trying to save a buck on software, combined with a lack of caution when hunting for free solutions, can lead to an infection and the subsequent theft of funds \u2013 in this case, cryptocurrency. The attackers are aggressively promoting their sites in search results and using fileless techniques alongside a marathon infection chain to stay under the radar. Such attacks are difficult to detect and stop in time.\\n\\nTo stay safe and avoid losing your money, use reliable security solutions that are able to prevent your device form being infected. Download software only from official sources. If for some reason you can’t use a reputable paid solution, we highly recommend thoroughly vetting the sites you use to download software.\\n\\n## Indicators of compromise\\n\\n**URLs** \\nhttps[:]\/\/pastebin[.]com\/raw\/FmpsDAtQ \\nhttps[:]\/\/snippet[.]host\/aaxniv\/raw \\nhttps[:]\/\/chiaselinks[.]com\/raw\/nkkywvmhux \\nhttps[:]\/\/rlim[.]com\/55Dfq32kaR\/raw \\nhttps[:]\/\/paste.kealper[.]com\/raw\/k3K5aPJQ \\nhttps[:]\/\/git.parat[.]swiss\/rogers7\/dev-api\/raw\/master\/cpzn \\nhttps[:]\/\/pinhole[.]rootcode[.]ru\/rogers7\/dev-api\/raw\/master\/cpzn \\nhttps[:]\/\/github[.]com\/lukecodix\/Proxifier\/releases\/download\/4.12\/Proxifier.zip \\nhttps[:]\/\/gist.github[.]com\/msfcon5ol3\/107484d66423cb601f418344cd648f12\/raw\/d85cef60cdb9e8d0f3cb3546de6ab657f9498ac7\/upxz\\n\\n**Hashes** \\n34a0f70ab100c47caaba7a5c85448e3d \\n7528bf597fd7764fcb7ec06512e073e0 \\n8354223cd6198b05904337b5dff7772b”,”published”:”2026-04-09T09:30:17″,”modified”:”2026-04-09T09:30:17″,”type”:”securelist”,”title”:”The long road to your crypto: ClipBanker and its marathon infection chain”,”source”:””,”references”:””,”id”:”SECURELIST:7F930D3700994E0C9FEDB13E228D8BFC”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/securelist.com\/clipbanker-malware-distributed-via-trojanized-proxifier\/119341\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-09T10:10:19″,”description”:”\\n\\nAt the start of the year, a certain Trojan caught our eye due to its incredibly long infection chain. In most cases, it kicks off…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,136,7,11,5],"class_list":["post-42805","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-securelist","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n