• A fake Microsoft Office plugin was used to hijack crypto wallet addresses via clipboard manipulation.
  • Kaspersky revealed multiple malware campaigns targeting crypto users across apps, extensions, and browsers. 

Crypto users are once again targeted. This time, Kaspersky has uncovered a new malware campaign that infiltrates through a fake Microsoft Office plugin on SourceForge. While people are usually suspicious of suspicious links or pirated applications, now even plugins that look legitimate can be a trap.

The method is quite neat. This plugin disguises itself as a Microsoft Office add-in that seems to help productivity. But when installed, it infiltrates malware using the “clipboard hijacking” technique.

So when users copy a crypto wallet address, the address is automatically replaced with the attacker’s. The end result? Funds are immediately sent to a wallet that is not intended. And all this happens without being noticed.

Cybersecurity company Kaspersky: A malware disguised as a Microsoft Office plugin on SourceForge is targeting crypto users, employing a dangerous clipboard hijacking technique. This malware replaces the cryptocurrency wallet address copied by the user with the attacker's address,…

— Wu Blockchain (@WuBlockchain) April 9, 2025

Malware Found Mining Crypto Through VSCode Extensions

If you think this only happens on one platform, unfortunately not. At almost the same time, nine Visual Studio Code (VSCode) extensions were also found spreading cryptominer malware. The extensions were uploaded to the Microsoft Marketplace between April 4 and 7, 2025.

Disguised as traditional development tools, the extensions secretly infect users with XMRig to mine Ethereum and Monero. Total downloads? More than 300,000 times.

Roughly speaking, it’s like you downloaded an extension to help you with your work, but it turns out your CPU is being sucked up to mine crypto for other people. Not only does it waste electricity, it also makes your laptop slow and your hardware’s lifespan decreases faster.

Mobile Threats Are Getting Sneakier Than Ever

On the other hand, CNF previously reported that the Crocodilus malware was also detected, targeting Android devices, especially in Spain and Turkey. This Trojan uses an overlay technique to trick users into providing their crypto wallet recovery phrases.

Once the victim grants access, Crocodilus can take full control of the device through the Accessibility Service permission. It’s like giving your house key and ATM password at one time—just because the application looks ordinary.

Still not enough? Last February, a report from Kaspersky also mentioned the emergence of malware called SparkCat . This malware infiltrates Android and iOS devices through an application that looks harmless. SparkCat is able to steal important details directly from the victim’s phone through a very neat and difficult to detect data collection method.

Your Browser Wallet Might Not Be as Safe as You Think

Furthermore, in November 2024, researchers from Microsoft Incident Response discovered a new remote access trojan (RAT) called StilachiRAT. This malware targets Google Chrome and can scan up to 20 cryptocurrency wallet addons.

Following that, it extracts and decrypts the credentials included within them. Simply put, all of your crypto assets that are “safe” in the browser may have been spied on and are now ready to be stolen.

Modern Malware Hides in Plain Sight

This does not mean that all technology or plugins are dangerous. However, it is now clear that many threats come from unexpected places. Fake plugins, malicious extensions, mobile applications that look ordinary, to browser extensions that have been considered safe—all can be entry points for perpetrators.

Maybe it’s time for us to change our perspective. Not only be careful of phishing or suspicious emails, but also of things that look normal.