Hackers are using a fake Proxifier installer hosted on GitHub to deliver ClipBanker malware through a multi stage infection chain that disguises itself as a legitimate proxy utility while quietly weakening system defences and hijacking cryptocurrency wallet transactions.
The campaign begins when a user searches for Proxifier and lands on a GitHub repository that appears to offer a normal proxy tool. Inside the release files, attackers hide a trojanised installer along with a text file containing fake activation keys, making the package appear credible and useful. Once launched, the installer does not simply install software. Instead, it prepares the system for further compromise.
Trojanised Installer Opens the Door
The malware’s first objective is to weaken Microsoft Defender. It creates a temporary file, injects code into it and uses that donor process to run a hidden PowerShell script that adds antivirus exclusions for temporary files and the installer folder.
The attack then continues by injecting additional .NET components into other processes, making the malicious activity harder to detect. After the initial setup, the Trojan launches the real Proxifier installer, allowing the user to see a functioning program and reducing suspicion that anything is wrong.
FCRF Returns With CDPO, Its Premier Data Protection Certification for Privacy Professionals
Obfuscated Scripts Extend the Infection
In the background, the malware creates another donor process, injects a second module and uses it to start a system utility with another hidden script. The scripts are obfuscated, but their purposes are clear: expand Defender exclusions, store encoded PowerShell in the registry and schedule further malicious code to run later.
A scheduled task then reads the registry value, decodes it and launches the next stage through PowerShell. That stage downloads another large script from hardcoded online locations, including GitHub and Pastebin style services, before executing it after further decoding.
The infection chain is designed to remain concealed while steadily building persistence. By combining hidden scripts, registry storage and scheduled execution, the attackers create a delivery process that can survive beyond the initial installer and continue operating in the background.
Clipboard Hijacker Targets Crypto Transfers
The final in memory payload is ClipBanker, a clipboard hijacker written in C++ that monitors cryptocurrency wallet addresses and replaces them with attacker controlled ones. The malware targets a broad list of blockchain networks, including Bitcoin, Ethereum, Monero, Solana and TRON.
That makes the campaign particularly dangerous for users who copy wallet addresses while trading, paying or moving funds. The operation also contacts an IP logger service, allowing attackers to confirm that an infection has succeeded.
Security researchers reported more than 2,000 detections among Kaspersky users since the beginning of 2025, with most cases recorded in India and Vietnam. Many detections came from the free cleanup tool, a sign that preventing infection is far easier than recovering from it once a system has been compromised.
