THE long road to your crypto: ClipBanker and its marathon infection chain explains how ClipBanker masquerades as a Proxifier installer, delivered via a trojanised Proxifier package that contains a malicious wrapper around the legitimate Proxifier and activates only after the real installer is launched.
The infection chain begins with a donor process and uses a .NET updater to inject PowerShell scripts and set Microsoft Defender exclusions, then proceeds to download further payloads from Pastebin-type services and GitHub, all while remaining largely fileless. The final payload, a ClipBanker variant written in C++ with MinGW, monitors the clipboard for cryptocurrency wallet addresses from a wide list and swaps them with the attackers’ addresses.
Since the start of 2025, more than 2,000 users of Kaspersky solutions have encountered this threat, with India and Vietnam being the most affected; 70% of detections came from the Virus Removal Tool. According to Securelist, the attackers promote their sites in search results and rely on an extended, multi-stage chain to stay under the radar. The report also includes a set of IOC-like links and hashes linked to Pastebin, GitHub and other sources for researchers to verify.