Cryptonews Blockchain News

Kaspersky Flags Crypto-Stealing Malware Hidden in Fake Microsoft Office Add-Ins

“ClipBanker is a malware family that replaces cryptocurrency wallet addresses in the clipboard with the attackers’ own."

Author

Sujha Sundararajan

Author

Sujha Sundararajan Verified

Part of the Team Since

Jun 2023

About Author

Sujha has been recognised as 🟣 Women In Crypto 2024 🟣 by BeInCrypto for her leadership in crypto journalism.

Has Also Written

BitMine is Still Buying ETH: Total Accumulation This Week Reaches $229M
Digital Euro is Ready to Advance, Awaits Legislative Action: ECB’s Christine Lagarde
CFTC Acting Chair Caroline Pham to Head to Crypto Firm MoonPay Once Mike Selig Swears In
Coinbase Expands Into Stock Trading, Prediction Markets as Part of ‘Everything App’ Strategy
Crypto Will Never be Recognized as Official Currency in Russia, Lawmaker Says

Author Profile

Last updated:

April 9, 2025

Fake Microsoft Extensions Embed Malware to Steal Crypto: Report

Cybersecurity firm Kaspersky has flagged a new sophisticated malware that steals crypto using fake Microsoft Office add-ins. These legit-looking extensions are uploaded to SourceForge, a website hosting platform, with descriptions copied from the legitimate GitHub project.

Per the malware description posted on Tuesday, appears with the SourceForge domain name and web hosting. “Pages like that are well-indexed by search engines and appear in their search results,” Kaspersky cybersecurity experts wrote.

Dubbed “officepackage,” the extension displays a list of office applications complete with version numbers and “Download” buttons.

Fake Downloads are Smaller in Size, Raises “Red Flags”

Kaspersky noted that the downloads are roughly seven-megabyte in size. “This raises some red flags, as office applications are never that small, even when compressed.”

The download pages takes victims to another page with a download button, containing a password-protected archive. However, the zip file after downloading the software exceeds 700 megabytes.

Attackers use the pumping technique to inflate the file size to look legit by appending junk data, Kaspersky flagged.

“As users seek ways to download applications outside official sources, attackers offer their own,” the report said. “They keep looking for new ways to make their websites look legit.”

⚠️ Cybersecurity firm @Kaspersky has issued a warning about a widespread malware campaign targeting users on @GitHub. #Kaspersky #GitHub https://t.co/TJg8BmgHiV
— Cryptonews.com (@cryptonews) February 26, 2025

Kaspersky Finds ‘ClipBanker’ Malware

The firm highlighted that the campaign injects the ClipBanker trojan through SourceForge. “ClipBanker is a malware family that replaces cryptocurrency wallet addresses in the clipboard with the attackers’ own,” it explained.

Crypto wallet users usually copy addresses rather than typing them. With the ClipBanker malware, the victim’s money will end up somewhere entirely unexpected.

Further, attackers could also sell system access to more dangerous actors apart from stealing cryptos.

“We advise users against downloading software from untrusted sources. If you are unable to obtain some software from official sources for any reason, remember that seeking alternative download options always carries higher security risks,” Kaspersky warned.