From Stars to Upvotes Fake Reputation Fueling a Crypto Clipb...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker
• Blog Title: From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker
• Suggested Section: Phishing Methodology -> Clipboard Hijacking; macOS Security Protections -> Gatekeeper / Quarantine; macOS Auto Start / LaunchAgents; Windows persistence via Startup folder

🎯 Content Summary

Check Point Research analyzed a cross-platform cryptocurrency clipboard hijacker campaign distributed as fake profit-making tools, including Solana/Pump.fun/DEX sniper bots, Aviator Predictor, crash-game predictors, and similar “edge” tools. The campaign does not exploit a CVE; its effectiveness comes from combining simple Rust malware with social engineering, fake reputation signals, and abuse of legitimate software/content platforms.

Threat model and victim targeting:...

🔧 Technical Details

Cross-platform fake reputation as malware delivery: A malicious binary can be made more convincing by surrounding it with coordinated reputation signals across many independent-looking platforms. In this campaign, the actor uses GitHub Ghost Networks for stars/forks, SourceForge reviews and manipulated downloads, YouTube Ghost Networks for views/comments, VirusTotal benign votes and “safe” comments, forum posts, Telegram contact details, and news-style articles. The defensive lesson is that popularity metrics and community sentiment should not be treated as proof of binary safety, especially when growth patterns are spiky or coordinated.

Cryptocurrency clipboard hijacking: A clipper monitors clipboard/pasteboard changes, tests copied text against cryptocurrency wallet regexes, and replaces matching strings with attacker-controlled wallets. On Windows, the malware creates a hidden window and uses AddClipboardFormatListener, O...

🤖 Agent Actions

Done.

Updated:

• src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md

Added:

• A new wallet-address replacement clippers subsection
• Windows-specific clipboard API flow (AddClipboardFormatListener, OpenClipboard, GetClipboardData, EmptyClipboard, SetClipboardData)
• User-level Windows persistence via %APPDATA%\silke\silke.exe + Startup-folder LNK
• macOS social-engineered quarantine removal via unlocker.command / xattr -cr
• macOS LaunchAgent persistence with self-healing watchdog removal order
• Fake reputation / social-proof delivery notes
• Reference to the Check Point blog

Validation:

• File sanity checks passed
• git diff --check passed
• mdbook build could not run because mdbook is not installed in this environment (mdbook: command not found)

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker

Content Categories: Based on the analysis, this content was categorized under "Phishing Methodology -> Clipboard Hijacking; macOS Security Protections -> Gatekeeper / Quarantine; macOS Auto Start / LaunchAgents; Windows persistence via Startup folder".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0