MassJacker Malware Targets Piracy Users Stealing Cryptocurrency Through Wallet Hijacking

A sophisticated malware campaign has been uncovered targeting users searching for pirated software, deploying a cryptocurrency-stealing malware called MassJacker. This malicious operation uses clipboard hijacking techniques to redirect cryptocurrency transactions to attacker-controlled wallets, effectively stealing funds from unsuspecting victims.

Cybersecurity researchers at CyberArk identified the campaign, which begins its infection chain through a website called pesktop[.]com. The site masquerades as a platform for downloading pirated software while actually distributing various malware payloads.

Infection Chain Diagram (Source: CyberArc)

When users download what they believe to be cracked software, they unknowingly set off a complex infection sequence. The initial executable triggers a PowerShell script that delivers an Amadey botnet malware alongside two specialized .NET binaries compiled for different system architectures. These binaries, particularly one codenamed PackerD1, contain sophisticated anti-analysis and evasion capabilities, including Just-In-Time (JIT) hooking, metadata token mapping to obfuscate function calls, and a custom virtual machine for command interpretation rather than running standard .NET code.

The malware's primary mechanism is deceptively simple yet highly effective. MassJacker monitors the victim's clipboard for cryptocurrency wallet addresses using regular expression patterns. When a user copies a wallet address—typically when preparing to send cryptocurrency—the malware silently replaces it with an attacker-controlled wallet address. The victim, unaware of the substitution, completes the transaction, inadvertently sending their funds to the attackers.

CyberArk's investigation revealed the staggering scale of this operation. The research team identified more than 778,531 unique wallet addresses belonging to the threat actors, though only 423 contained funds at the time of analysis, totaling approximately $95,300. Historical transaction data suggests much larger operations, with the total amount of digital assets held in these wallets before being transferred out estimated at around $336,700.

A single Solana wallet connected to the operation appears to function as a central hub, having accumulated over 600 SOL (approximately $87,000) through more than 350 transactions from different addresses.

NFT-Related Transactions for the Solana Wallet CJpe4dUcV5Knc2XZKTVsTNHm2MpmJGJNWCJdkfbNdYF5 (source: screenshot from solscan.io)

The malware implements several defensive measures to avoid detection, including anti-debugging checks and specialized configuration to retrieve regular expression patterns for identifying cryptocurrency wallet addresses in clipboard content. It also communicates with remote servers to download updated lists of attacker-controlled wallets.

While the specific threat actor behind MassJacker remains unidentified, code analysis has revealed significant overlaps with another malware known as MassLogger, which employs similar JIT hooking techniques to resist analysis. The presence of these shared characteristics suggests a possible connection between the two malware families or their developers.

Cryptocurrency users are advised to exercise extreme caution when copying and pasting wallet addresses, visually verifying the entire address before confirming transactions, and avoiding downloads from unofficial software distribution sites. Security experts recommend using reputable cryptocurrency wallets that offer address verification features and maintaining up-to-date antivirus protection to minimize the risk of such clipboard hijacking attacks.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts: