New MassJacker Malware Hijacks Crypto Transactions, Draining Digital Wallets

A new malware campaign dubbed MassJacker is siphoning cryptocurrency from users by stealthily hijacking digital wallet addresses. Cybersecurity experts warn that this advanced clipper malware targets individuals downloading pirated software, substituting legitimate cryptocurrency addresses with those controlled by hackers.

According to a report by The Hacker News, MassJacker is part of a growing trend of cryware designed to manipulate clipboard data. When users copy a cryptocurrency wallet address, the malware instantly swaps it with an address owned by the threat actors. This nefarious method enables the attackers to reroute funds without the victim’s knowledge.

The infection chain of MassJacker has been traced back to pesktop[.]com, a website notorious for hosting pirated software downloads and distributing various types of malware. Once the initial executable is run, it acts as a gateway to execute a PowerShell script for the Amadey botnet malware along with two .NET binaries, one of which—codenamed PackerE—downloads an encrypted DLL. This DLL then loads another malicious component that injects the MassJacker payload into a legitimate Windows process known as InstalUtil.exe.

Security researchers at CyberArk revealed that MassJacker employs sophisticated evasion techniques, including Just-In-Time (JIT) hooking, metadata token mapping, and a custom virtual machine, to avoid detection and analysis. The malware further refines its operation by periodically retrieving regular expression patterns to identify cryptocurrency wallet addresses within the clipboard. Once a match is found, it replaces the copied address with one from a list maintained by the attackers.

CyberArk’s investigation has identified over 778,531 wallet addresses linked to the threat actors. So far, 423 of these wallets hold funds totaling approximately $95,300. In one alarming instance, a single wallet was found holding nearly $87,000, with more than 350 transactions funneled into it from various addresses. The original funds, which were rerouted by the malware, are estimated to have been worth around $336,700.

While the source of MassJacker remains unknown, experts note that its code overlaps with that of MassLogger, another malware known for using JIT hooking to resist analysis efforts.

Staying Safe from Clipper Malware

Cybersecurity professionals emphasize that the risk posed by MassJacker can largely be mitigated by avoiding pirated software—a common distribution channel for such malware. Users are advised to maintain up-to-date antivirus software on all devices, whether Windows or Mac, to continually scan and protect against malicious files.

For those handling cryptocurrency, additional precautions are recommended. “Consider using a dedicated device solely for crypto transactions,” experts suggest, noting that separating financial activities from everyday online use can significantly reduce exposure to cyber threats. Furthermore, safeguarding recovery phrases by storing them offline—rather than in digital password managers or on computers—can help protect against potential phishing attacks and malware intrusions.

As cryptocurrency continues to gain mainstream adoption, the tactics employed by hackers like those behind MassJacker are likely to evolve. The inability to recover lost cryptocurrency funds underscores the urgent need for improved cybersecurity practices and comprehensive regulatory frameworks to protect digital assets in an increasingly hostile online environment.

In the race between cybersecurity defenses and emerging malware, the discovery of MassJacker serves as a stark reminder: staying informed and practicing rigorous cyber hygiene remains the best defense against digital theft.

Photo Credit: DepositPhotos.com