Cybercriminals have set their sights on cryptocurrency users by taking advantage of a prominent open-source software platform.
Security professionals report that malicious actors are uploading fraudulent Microsoft Office installers loaded with concealed malware, such as crypto miners and clipboard hijackers, to trick unwary users.
Experts have pointed out that while the project pages on this platform seem legitimate, the real threat lies within their auto-generated subdomains. In one case, a fake domain was indexed by Russia’s Yandex search engine, directing unsuspecting users to a site brimming with counterfeit Office tools and deceptive download buttons.
According to recent data, over 4,600 incidents were reported in the first quarter of 2025, with 90% of affected users located in Russia.
It remains uncertain whether this assault has resulted in considerable financial losses for crypto users.
The Attack
In this scheme, hackers upload malicious software to project pages on the platform. These pages mimic real Office-related applications, yet the installers are embedded with scripts that deploy harmful payloads.
The trap initiates with a compressed archive named vinstaller.zip, which is around 7MB in size. This size raises suspicion since authentic Office software is typically much larger, even when compressed.
However, upon extraction, the small file expands into a 700MB installer filled with concealed scripts. These scripts download additional files from GitHub and check the system for antivirus programs.
If no protection is found, the installer activates crypto mining software and a clipbanker Trojan.
As noted:
“ClipBanker is a malware family that swaps cryptocurrency wallet addresses in the clipboard for the attackers’ own. Crypto wallet users usually copy addresses instead of manually entering them. If a device is compromised with ClipBanker, the victim’s funds will end up in the wrong hands.”
Concurrently, one of the scripts transmits user data to a Telegram bot, granting the hacker complete access to sensitive information.
This campaign underscores how hackers exploit trusted platforms to circumvent security measures and distribute malware on a large scale.