Hackers hide crypto address-swapping malware in Microsoft Office add-in bundles
Malicious actors are attempting to steal crypto with malware embedded in fake Microsoft Office extensions uploaded to the software hosting site SourceForge, according to cybersecurity firm Kaspersky.One of the malicious...
Archive context
Older archive item. Useful for background and entity history, but not a fresh market-moving signal.
Malicious actors are attempting to steal crypto with malware embedded in fake Microsoft Office extensions uploaded to the software hosting site SourceForge, according to cybersecurity firm Kaspersky.
One of the malicious listings, called “officepackage,” has real Microsoft Office add-ins but hides a malware called ClipBanker that replaces a copied crypto wallet address on a computer's clipboard with the attacker's address, Kaspersky’s Anti-Malware Research Team said in an April 8 report.
“Users of crypto wallets typically copy addresses instead of typing them. If the device is infected with ClipBanker, the victim’s money will end up somewhere entirely unexpected,” the team said.
The fake project’s page on SourceForge mimics a legitimate developer tool page, showing the office add-ins and download buttons and can also appear in search results.
Kaspersky said it found a crypto-stealing malware on the software hosting website SourceForge. Source: Kaspersky
Kaspersky said another feature of the malware’s infection chain involves sending infected device information such as IP addresses, country and usernames to the hackers through Telegram.
The malware can also scan the infected system for signs it’s already been installed previously or for antivirus software and delete itself.
Attackers could sell system access to othersKaspersky says some of the files in the bogus download are small, which raises “red flags, as office applications are never that small, even when compressed.”
Other files are padded out with junk to convince users they are looking at a genuine software installer.
The firm said attackers secure access to an infected system “through multiple methods, including unconventional ones.”
“While the attack primarily targets cryptocurrency by deploying a miner and ClipBanker, the attackers could sell system access to more dangerous actors.”The interface is in Russian, which Kaspersky speculates could mean it targets Russian-speaking users.
“Our telemetry indicates that 90% of potential victims are in Russia, where 4,604 users encountered the scheme between early January and late March,” the report stated.
To avoid falling victim, Kaspersky recommended only downloading software from trusted sources as pirated programs and alternative download options carry higher risks.
Related: Hackers are selling counterfeit phones with crypto-stealing malware
“Distributing malware disguised as pirated software is anything but new,” the company said. “As users seek ways to download applications outside official sources, attackers offer their own. They keep looking for new ways to make their websites look legit.”
Other firms have also been raising the alarm over new forms of malware targeting crypto users.
Threat Fabric said in a March 28 report it found a new family of malware that can launch a fake overlay to trick Android users into providing their crypto seed phrases as it takes over the device.
Magazine: Bitcoin heading to $70K soon? Crypto baller funds SpaceX flight: Hodler’s Digest, March 30 – April 5
Why this matters
This cryptocurrency story adds another data point to the current market tape and is useful when read alongside nearby source coverage.
Original source
Read on CointelegraphRelated market context
Kaspersky identifies malware framework targeting cryptocurrency investors through fake GitHub projects
Kaspersky uncovers GitVenom malware campaign using 200+ fake GitHub repos and AI-generated docs to steal Bitcoin from crypto inves...
AI agents employ $24M market to act smarter as agentic crypto payments spread online
Lincoln Murr asked his AI agent to send some Twitter articles to his Kindle, copying a trick he'd seen suggested online. The agent...
MacOS malware hijacks Telegram sessions, targets crypto wallets: SlowMist
A macOS malware steals credentials to hijack Telegram sessions, decrypt cryptocurrency wallets or trick users into entering their...
Florida man arrested for stealing $220K in crypto via Steam malware scheme
A 21-year-old Florida man was arrested for allegedly stealing $220K in crypto by embedding malware in Steam games, infecting 8,000...
Bitmine nears its Ethereum buying limit – Now it needs demand to make the bet pay off
Bitmine plans to slow its Ethereum purchases as its holdings approach 5% of the cryptocurrency’s supply, ending a year of rapid ac...
BTCC Exchange Q2 2026 Growth Report: TradFi Volumes Triple, 12M Users Reached as Exchange Marks 15 Years
George Town, Cayman Islands, July 17th, 2026, Chainwire BTCC, the world’s longest-serving cryptocurrency exchange, today released...