Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments

An unknown threat actor operates a coordinated campaign distributing cryptocurrency clipper malware through fake reviews, AI-generated video narrators, and comments on VirusTotal, according to Check Point Research.

The attacker uses promoted posts on legitimate news websites to build credibility for malicious software distribution. A dedicated WordPress phishing page serves as the central command hub, coordinated with GitHub and SourceForge projects maintained by fake accounts. The threat actor also operates a YouTube channel pushing the malicious content.

Cryptocurrency clippers remain a persistent threat in the malware ecosystem. These tools intercept wallet addresses users copy to their clipboard and replace them with attacker-controlled addresses. Victims believe they are sending cryptocurrency to legitimate recipients but instead send funds to the threat actor. The simplicity and effectiveness of this attack vector makes it attractive to cybercriminals.

The use of AI-narrated videos represents an evolution in social engineering tactics. Automated voice generation reduces the need for human resources while maintaining a veneer of legitimacy. The threat actor leverages VirusTotal comments, a trusted security service used by researchers and defenders, to seed fake positive reviews and build false legitimacy for their malware.

The campaign demonstrates how threat actors exploit multiple platforms simultaneously. Legitimate news websites carry paid advertisements. GitHub and SourceForge repositories appear trustworthy to developers. YouTube's recommendation algorithm amplifies reach. Together, these channels create a web of false credibility that catches cryptocurrency users off guard.

Organizations and individual users should exercise extreme caution when downloading cryptocurrency management tools or wallets. Verify all downloads directly from official project repositories and check code signatures. Avoid cryptocurrency tools promoted through YouTube sponsorships or news site advertisements. Monitor clipboard activity on systems handling sensitive data or financial information, and consider using dedicated air-gapped devices for wallet management and transactions.

Check Point Research continues tracking the campaign and has shared indicators of compromise with the