The Marathon Infection Chain of ClipBanker: Unraveling the Crypto-Stealing Trojan
By
<p>ClipBanker is a sophisticated Trojan that targets cryptocurrency wallets, employing an unusually long and complex infection chain. The attack begins innocuously with a web search for “Proxifier”, a legitimate proxy tool. From there, the malware uses deceptive GitHub repositories, innocent-looking executables, and deeply nested PowerShell scripts to evade detection and ultimately steal crypto. In this Q&A, we break down each stage of this marathon cyber heist.</p>
<h2 id="q1">1. What is ClipBanker and why is its infection chain remarkable?</h2>
<p>ClipBanker is a Trojan designed to intercept and modify cryptocurrency wallet addresses copied to the clipboard, redirecting funds to attackers. Its infection chain is unusual for its length and complexity. While many malware strains use short, direct payloads, ClipBanker employs a multi-step process involving multiple injected modules, temporary files, and scheduled tasks. This marathon approach helps it bypass security software and remain undetected. The chain typically starts with an innocent search for “Proxifier”, an actual proxy tool, and culminates in a hidden PowerShell script that maintains persistence and executes the clip-stealing logic. Each layer is carefully designed to mask the next, making analysis and mitigation particularly challenging.</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/09085753/SL-clipbanker-proxifier-featured.jpg" alt="The Marathon Infection Chain of ClipBanker: Unraveling the Crypto-Stealing Trojan" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure>
<h2 id="q2">2. How does the infection start, and what role does Proxifier play?</h2>
<p>The infection begins when a user searches for “Proxifier” (or “a proxifier”) on a search engine. Proxifiers are legitimate programs that tunnel traffic for apps lacking native proxy support. Among the top results, attackers place a link to a <strong>malicious GitHub repository</strong>. The repository contains source code for a basic proxy service, but the real danger lies in the “Releases” section. There, an archive includes an executable and a text file. The executable is actually a trojanized wrapper around the real Proxifier installer, while the text file offers free activation keys. When the user runs the executable, they believe they are installing Proxifier; in reality, the malware begins its silent multi-stage infection. This initial step exploits trust in well-known software and popular platforms like GitHub.</p>
<h2 id="q3">3. What happens immediately after the malicious executable is launched?</h2>
<p>Once launched, the Trojan’s first priority is to create an exclusion for itself in Microsoft Defender. It does so using an unusual technique: it creates a tiny stub file (about 1.5 KB) in the temp directory named <code>Proxifier<???>.tmp</code> and executes it. This stub serves as a <strong>donor process</strong>. A .NET application called <code>api_updater.exe</code> is then injected into this stub. The injected code uses the <code>PSObject</code> class to run a PowerShell script directly within the current process, without spawning a command window or invoking the interpreter. The script adds exclusions for all <code>.tmp</code> files and the executable’s directory from Windows Defender. This clever evasion ensures that subsequent malware components won’t be flagged by real-time scanning.</p>
<h2 id="q4">4. How does the Trojan install the real Proxifier while continuing its malicious activities in the background?</h2>
<p>After setting up the Defender exclusions, the trojanized <code>proxifier.exe</code> extracts and launches the genuine Proxifier installer. This keeps the user distracted — they see a legitimate installation process. Meanwhile, in the background, the malware continues its infection chain. It creates another donor process and injects a module named <code>proxifierupdater.exe</code>. This second module acts as yet another injector. It launches <code>conhost.exe</code>, a Windows system utility, and injects it with a .NET application internally named <code>bin.exe</code>. The <code>bin.exe</code> runs another PowerShell script using the same <code>PSObject</code> technique as before. This layered injection helps the malware hide its true nature deep within legitimate system processes.</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/09085753/SL-clipbanker-proxifier-featured-800x450.jpg" alt="The Marathon Infection Chain of ClipBanker: Unraveling the Crypto-Stealing Trojan" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure>
<h2 id="q5">5. What does the final PowerShell script do, and how does it ensure persistence?</h2>
<p>The final PowerShell script is obfuscated and partially encoded, but its actions are straightforward. It performs four key tasks:</p>
<ul>
<li><strong>Add exclusions</strong> for “powershell” and “conhost” processes to Microsoft Defender, ensuring future PowerShell activity goes unchecked.</li>
<li><strong>Create a registry key</strong> at <code>HKLM\SOFTWARE\System::Config</code> and store another Base64-encoded PowerShell script within it.</li>
<li><strong>Set up a scheduled task</strong> that launches PowerShell with a script argument designed to read the registry key, decode its contents, and execute the embedded script.</li>
<li>The scheduled task ensures that even after a reboot, the malware persists. The registry-stored script typically contains the actual clipboard hijacker that monitors and modifies cryptocurrency addresses, stealing funds when the user pastes an address.</li>
</ul>
<p>This persistence mechanism is elegant — it uses only built-in Windows components, making detection harder for standard antivirus tools.</p>
<h2 id="q6">6. How does ClipBanker ultimately steal cryptocurrency?</h2>
<p>ClipBanker focuses on cryptocurrency transactions. Once the infection chain is fully executed and persistence is established, the final payload monitors the system clipboard. When it detects a wallet address being copied (e.g., Bitcoin, Ethereum), it replaces that address with the attacker’s address. The user, unaware of the swap, pastes the modified address when sending funds, which then go directly to the criminal. This form of “clipboard hijacking” is common due to the long, complex nature of crypto addresses, which are difficult to verify manually. ClipBanker’s multi-stage delivery ensures that the malicious clipboard monitor remains active without triggering alerts, giving attackers a long window of opportunity to intercept transactions.</p>
Tags: