Cybersecurity researchers at Check Point Research have uncovered a campaign where a threat actor is using marketing-style tactics to spread malware disguised as cryptocurrency tools.
The campaign mainly targets cryptocurrency users and online gamblers looking for quick profits. It promotes fake Solana and Pump.fun sniper bots, as well as crash-game predictors, through phishing websites, GitHub repositories, SourceForge projects, YouTube videos, and posts on legitimate news websites. Some of the news articles appear to be paid promotions or content published through compromised outlets.
The malware is a Rust-based clipboard hijacker that targets Windows and macOS users. It monitors copied cryptocurrency wallet addresses and replaces them with attacker-controlled addresses, allowing criminals to steal digital assets.
Researchers found that the threat actor inflated trust signals by boosting download counts, posting positive reviews, and using multiple fake GitHub accounts to promote the malicious software. One GitHub repository collected 146 stars and 62 forks, while a SourceForge project recorded more than 44,000 downloads, many of which appear suspicious.
The operation also uses a YouTube channel with over 91,000 subscribers. The channel features tutorial videos with AI-generated narrators and overwhelmingly positive comments designed to make the tools appear legitimate.
"This operation combines simple but effective malware with strong social engineering and aggressive cross‑platform promotion. A WordPress phishing site, manipulated engagement on GitHub and SourceForge, AI‑driven YouTube videos, VirusTotal sentiment abuse, and even posts on news outlets and crypto forums all work together to make the tools appear popular, legitimate, and safe," researchers noted in the report. "The updated Ghost Networks model is designed to repeatedly expose the victim to positive signals (stars, comments, votes, “safe” labels) so that, by the time they run the tool, it feels like a normal, benign application rather than a threat."