Cryptojacking Malware MassJacker Steals $336,700 via Pirated Software

A new strain of cryptojacking malware, dubbed MassJacker, has been identified targeting users who download pirated software. This previously undocumented clipper malware is designed to hijack cryptocurrency transactions by monitoring and altering clipboard content. The infection chain begins at a site presenting itself as a source for pirated software, which then distributes the malware through an initial executable. This executable runs a PowerShell script that delivers a botnet malware named Amadey, along with two other .NET binaries compiled for both 32- and 64-bit architectures.

The primary function of MassJacker is to intercept cryptocurrency wallet addresses copied to the clipboard and replace them with an attacker-controlled address. This redirection allows the attackers to steal the intended cryptocurrency transaction, diverting it to their own wallets. The malware has been observed to have stolen over $336,700 from victims, highlighting the significant financial impact of this type of cybercrime.

The discovery of MassJacker underscores the risks associated with downloading pirated software. Users who engage in such activities are not only violating copyright laws but also exposing themselves to severe security threats. The use of clipper malware, which specifically targets cryptocurrency transactions, is a growing concern in the cybersecurity landscape. This type of malware is particularly dangerous because it operates silently in the background, making it difficult for users to detect until it is too late.

The emergence of MassJacker serves as a reminder of the importance of cybersecurity awareness and the need for robust security measures. Users should avoid downloading software from untrusted sources and ensure that their systems are protected with up-to-date antivirus software and other security tools. Additionally, organizations should implement comprehensive security protocols to safeguard against such threats, including regular employee training on cybersecurity best practices and the use of advanced threat detection technologies.

Crypto malware is not a new phenomenon. The first publicly available cryptojacking script was released by Coinhive in 2017, and since then, attackers have targeted an array of devices using different operating systems. In February 2025, it was found that crypto malware had infiltrated app-making kits for Android and iOS, with the ability to scan images for crypto seed phrases. In October 2024, crypto-stealing malware was discovered in a Python Package Index, a platform for developers to download and share code. Other crypto malware have targeted macOS devices.

Attackers are becoming increasingly sophisticated in their methods. One new "injection method" involves the fake job scam, where an attacker will recruit their victim with the promise of a job. During the virtual interview, the attacker will ask the victim to "fix" microphone or camera access issues. That "fix" is what installs the malware, which can then drain the victim’s crypto wallet. The "clipper" attack, in which malware alters cryptocurrency addresses copied to a clipboard, is less well-known than ransomware or information-stealing malware. However, it offers advantages for attackers, as it operates discreetly and often goes undetected in sandbox environments.