New ClipXDaemon Malware Targets Cryptocurrency Users by Hijacking Clipboard Addresses on Linux
Security researchers have recently uncovered a new strain of Linux malware named ClipXDaemon. This sophisticated threat specifically targets cryptocurrency users by manipulating copied wallet addresses, posing a significant risk to digital asset security.
Cyble’s Research & Intelligence Labs (CRIL) identified ClipXDaemon as being delivered through a loader structure previously linked to ShadowHS activity. However, researchers assert that there is no evidence suggesting that ClipXDaemon and ShadowHS share the same operators or malware authors. Instead, both malware strains utilize bincrypter, an open-source shell-script encryption framework available on GitHub.
ClipXDaemon: A Cryptocurrency-Focused Linux Threat
Unlike conventional Linux malware that relies on remote infrastructure, ClipXDaemon functions as a fully autonomous cryptocurrency clipboard hijacker. It lacks command-and-control (C2) functionality, does not perform beaconing, and does not require instructions from remote servers.
The malware directly monetizes its victims. Once installed on a Linux system operating within an X11 graphical environment, ClipXDaemon actively monitors clipboard activity. It replaces copied cryptocurrency wallet addresses with those controlled by the attacker in real time. If a victim pastes the altered address into a transaction field, funds are unknowingly transferred to the attacker.
Researchers have noted that ClipXDaemon checks the runtime environment before execution. If it detects a Wayland session, which restricts global clipboard scraping, the program terminates immediately.
Links to ShadowHS Through a Shared Loader
The initial loader utilized in the ClipXDaemon campaign resembles one previously observed in ShadowHS malware samples. This similarity likely arises from both threats employing the same open-source bincrypter framework.
In January, ShadowHS was documented as a malware family that deployed encrypted shell loaders to execute weaponized hackshell payloads targeting server environments for post-exploitation activities. In contrast, ClipXDaemon delivers a distinct payload: a Linux-based cryptocurrency clipboard hijacker.
Multi-Stage Infection Chain
The ClipXDaemon campaign employs a three-stage infection process:
- Encrypted Loader: A bincrypter-generated script containing an encrypted payload blob.
- Memory-Resident Dropper: Decrypted in memory using AES-256-CBC and gzip decompression.
- On-Disk ELF Payload: A clipboard-hijacking daemon written to disk.
The loader stores encrypted data inline, decodes it from base64, strips non-printable characters, and derives AES-256-CBC parameters before executing the decrypted stage directly from memory. The use of OpenSSL commands aligns with bincrypter’s typical output.
When the loader decrypts the intermediate dropper, it executes the script through /proc/self/fd, avoiding the creation of visible files and minimizing forensic artifacts.
Persistence and Installation
The decrypted dropper embeds a base64-encoded ELF binary, which it writes to the path:
~/.local/bin/
The filename is randomly generated with a length of eight to nineteen characters, often including a numeric suffix. After writing the binary, the dropper marks it as executable and launches it in the background.
To ensure persistence, ClipXDaemon appends an execution line to the user’s ~/.profile file. This guarantees that the malware runs during future login sessions without requiring root privileges, systemd services, or scheduled tasks. The design indicates that attackers are primarily targeting desktop Linux environments rather than server systems.
Stealth Techniques and Process Masquerading
Once operational, ClipXDaemon executes a double-fork daemonization sequence to detach from the controlling terminal. It creates a new session, closes standard file descriptors, and resets the file mode mask.
The malware then employs the prctl(PR_SET_NAME, …) function to rename the process, disguising itself as a kernel worker thread. Specifically, it mimics the process name “kworker/0:2-events.” This technique aims to reduce suspicion during casual inspections using tools like ps or top, as Linux administrators frequently encounter kernel worker processes and may overlook them.
Clipboard Monitoring and Cryptocurrency Hijacking
After daemonization, ClipXDaemon connects to the X server using standard X11 APIs. If the connection fails, execution halts. Otherwise, the malware begins monitoring clipboard content every 200 milliseconds.
Using the X11 selection protocol, the malware retrieves clipboard data in UTF-8 format through XConvertSelection, XNextEvent, and XGetWindowProperty. Clipboard contents are copied into memory and analyzed for cryptocurrency wallet patterns.
The malware contains encrypted regular expressions for several major cryptocurrency formats, including:
- Ethereum:
^0x[0-9a-fA-F]{40}$ - Bitcoin:
^(bc1|[13])[a-km-zA-HJ-NP-Z1-9]{25,34}$ - Monero:
^[4][0-9AB][1-9A-HJ-NP-Za-km-z]{93}$ - Dogecoin:
^D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}$
When a match is detected, ClipXDaemon replaces the clipboard content with a malicious wallet address. This replacement occurs rapidly enough to take place before a typical paste operation.
Observed attacker wallets include:
- Ethereum:
0x502010513bf2d2B908A3C33DE5B65314831646e7 - Monero:
424bEKfpB6C9LkdfNmg61pMEnAitjde8YWFsCP1JXRYhfu4Tp5EdbUBjCYf9kRBYGzWoZqRYMhWfGAm1N5h6wSPg8bSrbB9 - Bitcoin:
bc1qe8g2rgac5rssdf5jxcyytrs769359ltle3ekle - Dogecoin:
DTkSZNdtYDGndq1kRv5Z2SuTxJZ2Ddacjk - Litecoin:
ltc1q7d2d39ur47rz7mca4ajzam2ep74ccdwvqre6ej - Tron:
TBupDdRjUscZhsDWjSvuwdevnj8eBrE1ht
While the malware also monitors TON and Ripple wallet formats, researchers did not observe replacement addresses for those assets.
Configuration Encryption and C2-Less Malware Model
To obscure its configuration, ClipXDaemon encrypts wallet patterns and replacement addresses using the ChaCha20 stream cipher. A static 256-bit key and counter decrypt these values at runtime before compiling the regular expressions in memory.
Although this method hinders simple static analysis, it provides limited protection against dynamic analysis.
One of the most notable characteristics of ClipXDaemon is the absence of any network communication. During analysis, the binary performed no DNS queries, HTTP requests, or socket connections and contained no embedded domains or IP addresses.
This C2-less architecture alters the traditional malware lifecycle. Without remote infrastructure, attackers do not need to maintain servers or communicate with infected machines. Instead, monetization occurs directly when a victim unknowingly sends cryptocurrency to the attacker’s wallet.
As reported by thecyberexpress.com.
