New MassJacker Malware Targets Piracy Users, Hijacking Cryptocurrency Transactions

Mar 14, 2025Ravie LakshmananSoftware Security / Cybercrime

Users searching for pirated software are the target of a new malware campaign that delivers a previously undocumented clipper malware called MassJacker, according to findings from CyberArk.

Clipper malware is a type of cryware (as coined by Microsoft) that’s designed to monitor a victim’s clipboard content and facilitate cryptocurrency theft by substituting copied cryptocurrency wallet addresses with an attacker-controlled one so as to reroute them to the adversary instead of the intended target.

“The infection chain begins at a site called pesktop[.]com,” security researcher Ari Novick said in an analysis published earlier this week. “This site, which presents itself as a site to get pirated software, also tries to get people to download all sorts of malware.”

The initial executable acts as a conduit to run a PowerShell script that delivers a botnet malware named Amadey, as well as two other .NET binaries, each compiled for 32- and 64-bit architecture.

The binary, codenamed PackerE, is responsible for downloading an encrypted DLL, which, in turn, loads a second DLL file that launches the MassJacker payload by injecting it into a legitimate Windows process called “InstalUtil.exe.”

The encrypted DLL incorporates features that enhance its evasion and anti-analysis ability, including Just-In-Time (JIT) hooking, metadata token mapping to conceal function calls, and a custom virtual machine to interpret commands as opposed to running regular .NET code.

MassJacker, for its part, comes with its own anti-debugging checks and a configuration to retrieve all the regular expression patterns for flagging cryptocurrency wallet addresses in the clipboard. It also contacts a remote server to download files containing the list of wallets under the threat actor’s control.

“MassJacker creates an event handler to run whenever the victim copies anything,” Novick said. “The handler checks the regexes, and if it finds a match, it replaces the copied content with a wallet belonging to the threat actor from the downloaded list.”

CyberArk said it identified over 778,531 unique addresses belonging to the attackers, with only 423 of them containing funds totaling approximately $95,300. But the total amount of digital assets held in all these wallets prior to them being transferred out stands at around $336,700.

What’s more, cryptocurrency worth about $87,000 (600 SOL) has been found parked in a single wallet, with over 350 transactions funneling money into the wallet from different addresses.

Exactly who is behind MassJacker is unknown, although a deeper examination of the source code has identified overlaps with another malware known as MassLogger, which has also leveraged JIT hooking in an attempt to resist analysis efforts.

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!