{
  "name": "A miner and the ClipBanker Trojan being distributed via SourceForge",
  "slug": "a-miner-and-the-clipbanker-trojan-being-distributed-via-sourceforge",
  "description": "A unique malware distribution scheme exploiting SourceForge has been discovered. The attackers create a seemingly legitimate project on sourceforge.net, which automatically generates a sourceforge.io subdomain. This subdomain is then used to host a malicious page that tricks users into downloading a compressed archive containing malware. The infection chain involves multiple stages, including the use of password-protected archives, Visual Basic scripts, and PowerShell commands. The main payloads are a cryptocurrency miner and ClipBanker, a Trojan that replaces cryptocurrency wallet addresses in the clipboard. The campaign primarily targets Russian-speaking users, with 90% of potential victims located in Russia.",
  "published": "2025-04-08T17:06:13+00:00",
  "created_at": "2025-04-08T17:06:13+00:00",
  "modified_at": "2025-04-08T20:10:02+00:00",
  "created_at_opencti": "2025-04-08T17:06:13+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-04-08",
    "autoit",
    "clipbanker",
    "cryptocurrency",
    "miner",
    "persistence",
    "powershell",
    "sourceforge"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "e3e33490-dd34-4a18-85dd-2982e1ca97bd",
        "name": "ClipBanker",
        "slug": "clipbanker"
      }
    ],
    "attack_patterns": [
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee",
        "name": "T1571"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "667462db-9031-48eb-893a-05d35f9330a7",
        "name": "T1056.001"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Russian Federation"
      }
    ]
  },
  "external_refs": [
    "https://securelist.com/miner-clipbanker-sourceforge-campaign/116088/",
    "https://otx.alienvault.com/pulse/67f573a53d47bc07a2ad0e14"
  ]
}