An unknown threat actor has been observed taking advantage of paid or promoted posts on legitimate news websites to increase buzz for their warez, according to new findings from Check Point Research.
The threat actor also has a dedicated WordPress phishing page that serves as the central hub, along with GitHub and SourceForge projects promoted by fake accounts, a YouTube channel, and a group of accounts that engage in coordinated activity on VirusTotal with the intent to misclassify malicious files as safe.
“To push a malicious ‘tool,’ a single threat actor borrowed the same playbook that legitimate brands use to create buzz: inflated download numbers, coordinated five-star reviews, influencer-style tutorial videos, and promotion on platforms that people instinctively trust,” Check Point said in a report shared with The Hacker News. “The result is a fake reputation economy that spreads across every platform that a curious victim might check before clicking ‘download’.”
The ultimate goal of the campaign is to expose a cryptocurrency clipboard hijacker hidden within Solana and Pump.Fun sniper bots and crash-game predictors, suggesting that cryptocurrency asset holders and online gamblers looking for shortcuts and quick profits are the targets.
The Rust-based Clipper targets both Windows and macOS systems, and continuously monitors the clipboard for content matching cryptocurrency wallet address patterns. When a match is found, the malware replaces the wallet address with an attacker-controlled address pulled from a hard-coded list, effectively transferring the digital assets to them.
What is notable about the activity is that ghost networks are used to poison reputation-driven systems like VirusTotal, with the aim of reducing skepticism and increasing victims’ trust in malicious files through a combination of upvotes and highly positive comments.
This behavior also extends to GitHub, where the threat actor operated at least six GitHub accounts to cross-promote and distribute his malware. These artificially enhanced signals are designed to lull users into a false sense of security and confidence. One such storehouse contains 146 stars and 62 thorns.
“On SourceForge, the download counter reached 44,485, of which a suspicious 37,460 reportedly originated from Android devices, despite the developer only offering Windows and macOS versions,” Check Point reported. “One plausible explanation is the use of Android farms to artificially inflate the download numbers on SourceForge.”
Additionally, the software solutions are promoted through a dedicated YouTube channel with over 91,000 subscribers. The channel was created in July 2020, with the operators claiming it is “for educational purposes only.” Tutorial-style videos include AI-generated narrators and positive comments to reinforce the illusion of popularity and trustworthiness.
Perhaps the most unusual aspect of the campaign is the threat actor’s use of a press release distribution service like EIN Presswire to market the purported capabilities of their tool. The press release has since been syndicated on the service’s partner news websites, primarily the USA TODAY Network.
“Manipulating sentiment and reputation on crowd-sourced platforms marks a meaningful change in the way attackers build trust,” Check Point said. “The same playbook of fake reputation and aggressive cross-platform promotion can easily deliver information stealers or ransomware to high-value targets over time.”
