MassJacker Cryptojacking Malware Targets Pirated Software Users

A new and previously unknown type of cryptojacking malware, named MassJacker, has been identified targeting users who download pirated software. This malware is designed to hijack cryptocurrency transactions by monitoring and altering clipboard content, effectively redirecting funds to attacker-controlled addresses. The infection chain begins at a website presenting itself as a source for pirated software, which then distributes the malware through an initial executable. This executable runs a PowerShell script that delivers a botnet malware named Amadey, along with two other .NET binaries compiled for both 32- and 64-bit architectures. The malware's primary function is to intercept cryptocurrency wallet addresses copied to the clipboard and replace them with an attacker-controlled address, effectively redirecting the funds to the attacker.

The discovery of MassJacker highlights the growing threat posed by clipper malware, which is specifically designed to target cryptocurrency users. By exploiting the trust of users seeking free or discounted software, cybercriminals are able to infiltrate systems and steal valuable digital assets. The use of PowerShell scripts and botnet malware in the infection chain demonstrates the sophistication of the attack, as these tools are commonly used in advanced persistent threats (APTs) to maintain control over compromised systems.

The implications of this malware campaign are significant for both individual users and the broader cryptocurrency community. Users who download pirated software are at high risk of falling victim to such attacks, as they are often unaware of the malicious intent behind the software they are downloading. The cryptocurrency community, in particular, is a prime target for clipper malware due to the high value of digital assets and the relative anonymity of transactions. This campaign serves as a reminder of the importance of using legitimate sources for software and being vigilant about the security of digital assets.

The discovery of MassJacker also underscores the need for enhanced cybersecurity measures to protect against clipper malware and other forms of cybercrime. Users should be educated about the risks associated with downloading pirated software and encouraged to use reputable sources for their software needs. Additionally, cryptocurrency users should implement additional security measures, such as using hardware wallets and enabling two-factor authentication, to protect their digital assets from theft. By taking these steps, users can reduce their risk of falling victim to clipper malware and other forms of cybercrime.

Crypto malware is not a new phenomenon. The first publicly available cryptojacking script was released by Coinhive in 2017, and since then, attackers have targeted an array of devices using different operating systems. In February 2025, it was found that crypto malware had infiltrated app-making kits for Android and iOS, with the ability to scan images for crypto seed phrases. In October 2024, crypto-stealing malware was discovered in a Python Package Index, a platform for developers to download and share code. Other crypto malware have targeted macOS devices. Attackers are becoming increasingly sophisticated, using methods such as fake job scams to recruit victims and install malware during virtual interviews. The "clipper" attack, in which malware alters cryptocurrency addresses copied to a clipboard, is less well-known than ransomware or information-stealing malware. However, it offers advantages for attackers, as it operates discreetly and often goes undetected in sandbox environments.