• Cyber Syrup
  • Posts
  • MassJacker Malware Targets Users Searching for Pirated Software

MassJacker Malware Targets Users Searching for Pirated Software

Cybersecurity researchers at CyberArk have identified a new malware campaign targeting users searching for pirated software

March 17, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Try Artisan’s All-in-one Outbound Sales Platform & AI BDR

Ava automates your entire outbound demand generation so you can get leads delivered to your inbox on autopilot. She operates within the Artisan platform, which consolidates every tool you need for outbound:

  • 300M+ High-Quality B2B Prospects, including E-Commerce and Local Business Leads

  • Automated Lead Enrichment With 10+ Data Sources

  • Full Email Deliverability Management

  • Multi-Channel Outreach Across Email & LinkedIn

  • Human-Level Personalization

MassJacker Malware Targets Users Searching for Pirated Software

Cybersecurity researchers at CyberArk have identified a new malware campaign targeting users searching for pirated software. The campaign distributes a previously undocumented clipper malware named MassJacker, which is designed to steal cryptocurrency by manipulating clipboard data.

What is Clipper Malware?

Clipper malware, also known as cryware, is a type of malicious software that monitors a victim’s clipboard for copied cryptocurrency wallet addresses. When a user copies a legitimate wallet address, the malware replaces it with an attacker-controlled address, redirecting the funds to cybercriminals instead of the intended recipient. This tactic allows attackers to steal digital assets without direct system access or the need for advanced exploitation techniques.

How the Infection Spreads

The MassJacker infection chain begins on a website called pesktop[.]com, which masquerades as a source for pirated software but actually distributes malware.

  1. Users download a compromised installer, believing it to be cracked software.

  2. The installer executes a PowerShell script, which delivers multiple malware components, including:

    • A botnet malware called Amadey.

    • Two separate .NET binaries (compiled for 32-bit and 64-bit architectures).

  3. The PackerE binary downloads an encrypted DLL, which loads another DLL responsible for launching the MassJacker payload.

This payload is injected into a legitimate Windows process called InstalUtil.exe, making it more difficult to detect.

MassJacker's Evasion Techniques

To evade detection and analysis, MassJacker employs multiple obfuscation techniques, including:

  • Just-In-Time (JIT) hooking – A method that intercepts and modifies execution at runtime.

  • Metadata token mapping – Conceals function calls to evade security tools.

  • Custom Virtual Machine Execution – Runs commands in a virtualized environment, making reverse engineering more challenging.

How MassJacker Steals Cryptocurrency

Once active, MassJacker constantly monitors clipboard activity for cryptocurrency wallet addresses. If a user copies a wallet address, the malware:

  1. Checks the clipboard content against a list of regular expressions to identify cryptocurrency wallet formats.

  2. Contacts a remote server to retrieve an attacker-controlled wallet list.

  3. Replaces the copied address with a wallet from the attacker's list.

  4. The user unknowingly pastes the attacker's wallet address, transferring funds to cybercriminals.

CyberArk’s investigation revealed over 778,531 unique attacker-controlled wallet addresses, though only 423 wallets contained funds at the time of analysis. The total stolen cryptocurrency value before being transferred was estimated to be $336,700.

One wallet alone contained 600 SOL (Solana), valued at approximately $87,000, with over 350 transactions funneling stolen funds into the account.

Who is Behind MassJacker?

The identity of the threat actors remains unknown. However, an analysis of MassJacker’s source code revealed similarities with another malware family known as MassLogger, which has previously used JIT hooking to resist analysis.

The use of multiple evasion techniques and an extensive network of controlled wallets suggests that this is an organized operation, likely involving experienced cybercriminals.

How to Stay Safe

Users can protect themselves by following these cybersecurity best practices:

  1. Avoid downloading software from untrusted sources. Always download software from official websites or reputable vendors.

  2. Enable clipboard monitoring protection. Some security solutions can detect and prevent clipboard manipulation.

  3. Use hardware wallets for cryptocurrency transactions. This reduces the risk of clipboard hijacking.

  4. Verify wallet addresses manually before transferring funds. Double-checking addresses can prevent accidental transfers to malicious accounts.

  5. Keep antivirus and antimalware tools updated. Regular updates help detect and block evolving threats.

As cybercriminals continue innovating their attack methods, it’s crucial for users to remain vigilant and cautious when dealing with cryptocurrency and software downloads.