MassJacker Malware Exploits Piracy Users, Diverting Cryptocurrency Transactions

14.03.2025

A new malware campaign is targeting users searching for pirated software, distributing a previously unknown clipper malware called MassJacker, according to CyberArk researchers. This malware is designed to hijack cryptocurrency transactions by replacing copied wallet addresses with attacker-controlled ones, redirecting funds to cybercriminals.

The infection chain begins at pesktopcom, a website posing as a source for pirated software but actually distributing malware. When users download and run the initial executable, it triggers a PowerShell script that installs Amadey botnet malware along with two NET binaries designed for different system architectures. The malware then injects the MassJacker payload into the legitimate Windows process InstalUtilexe to avoid detection.

MassJacker uses advanced evasion techniques such as Just In Time JIT hooking, metadata token mapping, and a custom virtual machine to execute commands covertly. It continuously monitors clipboard activity, detects cryptocurrency wallet addresses using regex patterns, and replaces them with addresses from a remotely controlled list.

CyberArk researchers identified 778531 unique attacker-controlled wallet addresses, with a total estimated theft of 336700 dollars before the funds were transferred. A single wallet was found holding 600 SOL approximately 87000 dollars, with hundreds of transactions funneling stolen funds.

While the exact operators behind MassJacker remain unknown, code similarities suggest links to MassLogger, a malware known for using similar anti analysis techniques. The campaign highlights ongoing cyber threats targeting cryptocurrency users, particularly those engaging in software piracy.