By rssfeeds-admin 
The threat actor operating under the alias “RedLineCyber” strategically impersonates the notorious RedLine Solutions brand to establish credibility while distributing a Python-based clipboard hijacker named “Pro.exe.”
This malware targets cryptocurrency streamers, casino gaming communities, and active digital asset traders through carefully selected Discord servers focused on gaming, gambling, and streaming content.
The operation represents a shift from indiscriminate information stealing toward precision-targeted financial theft.
Technical Architecture and Operational Method
The malware operates by continuously monitoring the clipboard at 300-millisecond intervals, using base64-encoded regular expressions to detect cryptocurrency wallet addresses across six major blockchain networks: Bitcoin, Ethereum, Solana, Dogecoin, Litecoin, and Tron.
Upon detection, the malware executes real-time address substitution, replacing victim wallet addresses with attacker-controlled alternatives at the critical moment users paste transaction data.
RedLineCyber distributes Pro.exe as a PyInstaller executable embedding obfuscated Python 3.13 bytecode.
This packaging approach provides multiple advantages: the legitimate PyInstaller tool obfuscates Python source code, the single-file bundle eliminates dependency installation requirements, and it reduces antivirus detection signatures.
The complete Python runtime environment allows offline operation without a command-and-control infrastructure, significantly reducing detection probability.
Initial execution triggers persistence installation through Windows Registry Run keys, ensuring automatic startup on system reboot. The malware maintains a local activity log that records successful clipboard hijacking events, including timestamps and details of address substitutions.
This logging mechanism enables threat actor operational tracking and the creation of forensic evidence during incident response investigations.
Intelligence analysis identified eight primary Discord communities as deliberate targeting vectors, with emphasis on high-value streaming platforms where cryptocurrency transactions occur during live broadcasts.
The threat actor cultivates extended relationships with potential victims before introducing Pro.exe as a cryptocurrency protection utility or streaming tool.
This social engineering approach exploits trust within gaming and cryptocurrency communities, where technical verification is often minimal.
Open-source intelligence correlation identified the same RedLineCyber actor advertising over 4,200 harvested LinkedIn credentials on BreachStars marketplace in October 2025, suggesting a diversified criminal operation combining real-time cryptocurrency theft with traditional credential brokerage.
Geographic targeting spans the United States, the United Kingdom, Australia, and New Zealand based on credential inventory analysis.
Security teams should implement Registry monitoring for suspicious HKCU Run key additions, specifically flagging entries containing %APPDATA% paths.
Behavioral monitoring for high-frequency clipboard API calls OpenClipboard, GetClipboardData, SetClipboardText executed repeatedly within short intervals provides reliable detection signals.
Process analysis, identifying a cryptocurrency address pattern-matching combined with clipboard manipulation, indicates compromise.The malware’s absence of network communication eliminates traditional network detection vectors.
Organizations should prioritize endpoint detection and response (EDR) solutions that support behavioral monitoring, combined with user education focused on cryptocurrency transaction verification workflows.
Blocking identified attacker wallet addresses at organizational and exchange levels provides partial mitigation. However, new addresses are likely still being generated.
Threat actors will likely continue exploiting Discord’s social structure and trusted communities to distribute cryptocurrency malware, given the operation’s evident profitability and moderate technical complexity.
The cloudsek campaign underscores that sophisticated financial theft requires neither advanced capabilities nor sophisticated infrastructure, only strategic social engineering and targeted technical implementation focused on high-value transaction windows.
| Category | Indicator Type | Value / Location | Description / Context |
|---|---|---|---|
| File & Hash Indicators | SHA-256 | 0d6e83e240e41013a5ab6dfd847c689447755e8b162215866d7390c793694dc6 | Primary malware sample (Pro.exe / peeek.exe) |
| File & Hash Indicators | SHA-256 | d011068781cfba0955258505dbe7e5c7d3d0b955e7f7640d2f1019d425278087 | Related ClipBanker variant observed in the wild |
| File & Hash Indicators | File Path | %APPDATA%CryptoClipboardGuardactivity.log | Clipboard swap activity log with timestamps |
| File & Hash Indicators | Directory | %APPDATA%CryptoClipboardGuard | Persistence directory created by malware |
| Registry-Based Indicators | Registry Key | HKCUSoftwareMicrosoftWindowsCurrentVersionRun | Autostart persistence location |
| Registry-Based Indicators | Registry Value | CryptoClipboardGuard | Malware persistence entry |
| Behavioral Indicators | API Calls | win32clipboard.OpenClipboard, GetClipboardData, SetClipboardText | Clipboard monitoring and manipulation |
| Behavioral Indicators | Polling Pattern | 300 ms continuous polling | High-frequency clipboard access detected via process monitoring |
| Behavioral Indicators | Registry Operations | winreg module usage | Persistence creation via registry modification |
| Behavioral Indicators | Pattern Matching | re.compile(regex) + Base64 decoding | Wallet address detection and replacement logic |
| Network Indicators | Network Activity | None observed | Malware operates fully offline with no C2, DNS, or outbound traffic |
| Cryptocurrency Wallet Indicators | Bitcoin (BTC) | bc1qz7jvkt7ex47x2nqm5mzkpaetff6sxmr75uyez | Attacker-controlled wallet (block recommended) |
| Cryptocurrency Wallet Indicators | Ethereum (ETH) | 0x43726m3E8C97d8A9F0cdE1B1ad77A63E1c2Ef41c | Attacker-controlled wallet |
| Cryptocurrency Wallet Indicators | Solana (SOL) | EDEQ72ExGfXMTENKHA1TsezvWMA8xKzgKgQtNP1E1at | Attacker-controlled wallet |
| Cryptocurrency Wallet Indicators | Dogecoin (DOGE) | D634A6aAXMYT7KYqZPXFMoajKHVLgetk | Attacker-controlled wallet |
| Cryptocurrency Wallet Indicators | Litecoin (LTC) | ltc1qq7a80tz3geqx32nfgng0uc2cv6l3l48vyqwem | Attacker-controlled wallet |
| Cryptocurrency Wallet Indicators | Tron (TRX) | TZ1p3c9ydQzSTWXVMYT9vfrchCpiwEBCX | Attacker-controlled wallet |
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Attackers Abuse Discord to Deliver Clipboard Hijacker Stealing Wallet Addresses on Paste appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.