MassJacker malware hijacks 750K wallets in $300K crypto heist

A new malware campaign called MassJacker has been targeting users downloading pirated software, hijacking cryptocurrency transactions by modifying clipboard data.

Cybersecurity firm CyberArk discovered that the malware has compromised more than 778,531 wallets, siphoning at least $336,700 since 2022.

The attack originates from pesktop[.]com, a site distributing pirated software embedded with malicious scripts.

Once executed, these scripts download payloads like the Amadey botnet and PackerE malware, ultimately deploying the MassJacker clipper.

The malware monitors clipboard activity and replaces copied cryptocurrency addresses with attacker-controlled wallets.

MassJacker uses advanced obfuscation techniques to evade detection, including JIT Hooking to modify code dynamically and infinite anti-debugging loops.

CyberArk researchers decrypted historical command-and-control (C2) data, uncovering reused encryption keys across multiple campaigns.

"We recovered 778,531 unique addresses by decrypting older files," CyberArk noted.

While only 423 wallets contained funds during analysis, one Solana wallet held over $87,000 in SOL and NFTs.

The transaction history indicated swaps involving tokens such as Jupiter (CRYPTO:JUP) and Uniswap (CRYPTO:UNI), suggesting a diversified strategy by attackers.

MassJacker’s stealth makes detection difficult, as its malicious activity only triggers when users copy wallet addresses.

Unlike ransomware, clipper malware relies on specific user interactions, allowing it to evade sandbox testing.

CyberArk linked MassJacker’s code structure to the credential-stealing MassLogger malware, emphasising that threat actors are expanding their toolsets.

Despite its sophistication, MassJacker’s profitability remains volatile.

Over 35 antivirus engines flagged components as malicious but failed to identify its cryptojacking nature.

The campaign highlights the increasing risks of pirated content, with attackers also leveraging fake job scams and software cracks to distribute malware.

As cryptocurrency adoption grows, analysts warn that these threats will persist.

"Cryptojackers aren’t as profitable as ransomware, but their low profile makes them a persistent menace," CyberArk concluded.