Crypto address-swapping malware found in fake Office add-ins

Cybersecurity firm Kaspersky has uncovered malware hidden in fake Microsoft Office extension packages on SourceForge that swaps users' copied crypto wallet addresses with attackers' addresses.

The malicious listing, called "officepackage," contains legitimate Office add-ins but conceals ClipBanker malware that monitors the clipboard for copied crypto addresses and replaces them with the attacker's address.

"Users of crypto wallets typically copy addresses instead of typing them. If the device is infected with ClipBanker, the victim's money will end up somewhere entirely unexpected," Kaspersky researchers stated.

The fake SourceForge page mimics a legitimate developer tool page to appear authentic. Kaspersky noted some red flags, like unusually small file sizes for supposed Office applications.

The malware also sends infected device information to hackers via Telegram and can delete itself if it detects prior installation or antivirus software.

While primarily targeting cryptocurrency through mining and address swapping, Kaspersky warned the attackers could potentially sell system access to more dangerous actors.

The interface is in Russian, with 90% of potential victims located in Russia between January and March 2025.

To avoid infection, Kaspersky recommends only downloading software from trusted sources, as pirated programs carry higher risks.

The firm noted that disguising malware as pirated software is a common tactic used by attackers to lure users seeking unofficial downloads.