Crypto Scam Alert: Fake Microsoft  Office Add-Ins Are Hiding Malware

Cybercriminals are learning new tactics to steal the crypto wallet details of victims. They include fake Microsoft add-ins that contain malware to target crypto users. As per Kaspersky’s report, these fake extensions are uploaded to the host software SourceForge, and they hide a malicious malware called CipBanker. Let’s break down what this means and how you can stay safe.

Malware Masquerading as a Microsoft Add-In

One of the fake listings on SourceForge is called “officepackage.” At first glance, it looks legitimate. It even includes Microsoft Office add-ins to trick people into thinking it’s safe. But hidden inside is ClipBanker, a type of malware that quietly swaps out copied crypto wallet addresses on your clipboard with the attacker’s own address. So, if you try to send crypto and your device is infected, your money could land in the wrong hands without you ever noticing.

Kaspersky’s research team explained that this works because most users copy wallet addresses instead of typing them out. If the address gets changed silently, it’s nearly impossible to spot in time.

How the Malware Works Behind the Scenes

The fake SourceForge project is designed to look like a developer tool page. It even includes download buttons and can show up in search results. But once downloaded, the malware goes to work.

ClipBanker doesn’t just steal wallet addresses; it also sends details about your device, like your IP address, country, and username, to the hackers via Telegram. It’s clever enough to check if it has already been installed or if antivirus software is active. If it senses danger, it simply deletes itself.

Some files in the download are suspiciously small. As Kaspersky points out, original office software is never that tiny, even when compressed. Other files are padded with junk data to appear authentic.

Hackers May Sell Access to Other Threat Actors

Kaspersky warns that once attackers have control of a device, they can keep access through multiple methods, some of them pretty unconventional. While the main goal is to mine crypto and steal through ClipBanker, there’s more at stake. Hackers could potentially sell access to other cybercriminals, leading to even more serious threats down the line.

Who’s Being Targeted the Most?

The interface of the fake extension is in Russian, which hints at the primary target audience. Kaspersky’s telemetry data shows that 90% of the people who encountered this malware between January and March were based in Russia, around 4,604 users in total.

Tips to Stay Safe from Crypto Malware

Kaspersky’s best advice is simple but notable: only download software from trusted, official sources. Pirated programs and unofficial downloads are a significant risk to your system and privacy. Malware disguised as helpful tools is nothing new, but attackers are constantly finding new ways to make their traps look real.

As crypto becomes more popular, malware creators are upping their game. Another firm, Threat Fabric, recently found malware that creates fake screens on Android phones to steal crypto seed phrases. So, if you’re using or storing crypto, stay alert and stick to trusted platforms.