Cybersecurity firm Kaspersky has alerted about malicious Microsoft Office extensions that are being used to distribute malware targeting cryptocurrency users.

The malware, which is concealed in fake software packages uploaded to SourceForge, aims to steal funds by changing copied cryptocurrency wallet addresses.

In an April 8 report, Kaspersky’s Anti-Malware Research Team unveiled a malicious listing named “officepackage,” which looks like legitimate Microsoft Office add-ins but is bundled with a program known as ClipBanker.

Clipboard-Hijacking Malware Swaps Crypto Wallet Addresses To Steal Funds

The malware keeps track of the user’s clipboard, and when it detects a copied crypto wallet address, it replaces it with an address under the control of the attacker.

“Crypto wallet users frequently copy addresses instead of manually entering them. If the device is infected with ClipBanker, the victim’s funds will be sent to an unexpected account,” Kaspersky’s team asserted.

The malware campaign imitates legitimate software, featuring a polished page on SourceForge and fake download buttons.

Apart from fund theft, the malware collects sensitive information from infected devices, such as IP addresses, countries, and usernames, which are dispatched to attackers via Telegram. Some of the installer files are suspiciously small, while others are bloated with junk data for credibility.

Kaspersky reported that the malware evades detection by searching for existing antivirus programs and eliminating itself upon detection. Besides stealing crypto funds via mining and address swapping, these attackers might also sell access to compromised systems to more malicious entities.

The Russian-language interface of the malware hints that it specifically targets Russian-speaking users. According to Kaspersky, 90% of the identified victims were located in Russia, affecting over 4,600 users between January and March 2025.

🚨 ALERT: A malware masquerading as Microsoft Office add-ins on SourceForge targets cryptocurrency users using a clipboard-hijacking method, as reported by Kaspersky.

The malware replaces copied cryptocurrency wallet addresses with the attacker’s address. $sol $eth #cybercrime.

The company encourages users to download software solely from legitimate and trusted sources, cautioning that pirated or alternate software versions often serve as vehicles for malware. Kaspersky remarked, “Attackers are continually finding innovative ways to enhance the legitimacy of their websites.”

Other cybersecurity organizations have also flagged novel malware threats. Recently, Threat Fabric warned about a new malware family affecting Android devices by overlaying fake interfaces to deceive users into revealing their cryptocurrency wallet seed phrases.

Crypto Hacks Top $1.6B In Q1 2025

In the first quarter of 2025, over $1.63 billion in cryptocurrency was stolen, with approximately 92% of this amount linked to the significant Bybit hack in February, as per reports from the blockchain security firm PeckShield.

While losses in January amounted to $87 million, February experienced an extraordinary spike reaching $1.53 billion, coupled with several additional attacks on Infini, zkLend, and Ionic. March saw a sharp decrease in losses to $33 million—a staggering 97% reduction from February, with some stolen funds recovered, providing partial relief to affected users and platforms.

The key takeaways include:

• Kaspersky’s warning on malware concealed in fake Microsoft Office add-ins intended to steal cryptocurrencies by hijacking copied wallet addresses.
• The malware dubbed ClipBanker also gathers user data and avoids being detected by erasing itself if antivirus software is found.
• Over 90% of the victims were Russian users, leading Kaspersky to recommend downloading exclusively from official and verified software sources.