Kaspersky Cautions About Imitation Microsoft Office Extensions Deployed to Distribute Crypto-Stealing Malware
Kaspersky, a cybersecurity company, has issued a caution regarding harmful Microsoft Office extensions being exploited to disseminate malware aimed at cryptocurrency users.
The malware, concealed within counterfeit software packages uploaded to SourceForge, is engineered to misappropriate funds by modifying copied digital wallet addresses.
In its April 8 update, Kaspersky’s Anti-Malware Research Team disclosed that a malicious listing named “officepackage” seems to incorporate authentic Microsoft Office add-ins yet comes packaged with a program called ClipBanker.
EXPLORE: Top New Cryptocurrencies for Investment in 2025
Clipboard-Capturing Malware Substitutes Wallet Addresses to Embezzle Funds
This malware surveils the user’s clipboard and, upon detecting a copied crypto wallet address, swaps it with an address that the attacker owns.
“Crypto wallet users usually copy addresses rather than type them. If the device is compromised via ClipBanker, the victim’s assets could end up in an entirely different location,” the Kaspersky team emphasized.
The malware operation is crafted to imitate legitimate software, complete with a professional-looking webpage on SourceForge and fraudulent download buttons.
The malware also gathers private information from infected devices—including IP addresses, locations, and usernames. This data is relayed to the attackers through Telegram. Some files within the installer are suspiciously small, while others are artificially inflated with nonsensical data to seem more credible.
Kaspersky also noted that the malware eludes detection by scanning for existing antivirus programs and removing itself if detected. Although its primary objective is to thieve crypto assets through mining and address substitution, the attackers might also sell access to compromised devices to more dangerous entities.
The presence of a Russian-language interface indicates the malware may specifically target Russian-speaking individuals. Kaspersky reported that 90% of recognized victims were located in Russia, affecting over 4,600 users from January through March 2025.
WARNING:
A malware masquerading as Microsoft Office add-ons on SourceForge is targeting digital currency users using a clipboard-capturing technique, as reported by Kaspersky.
The malware replaces copied digital wallet addresses with those of the attacker. $sol $eth #cybercrime pic.twitter.com/p8rLsEbUos
— Tom Bibiyan
The company advises individuals to obtain software exclusively from official, reputable sources, cautioning that pirated or alternate software versions are frequently employed as conduits for malware. “Attackers continually seek innovative means to make their websites look legitimate,” Kaspersky observed.
Other cybersecurity organizations are also highlighting emerging malware threats. Threat Fabric recently disclosed a new malware family targeting Android devices by superimposing counterfeit interfaces to deceive users into exposing their wallet seed phrases.
EXPLORE: 10 Top AI Crypto Coins for Investment in 2025
Crypto Thefts Exceed $1.6B In Q1 2025, With Bybit Vulnerability breach Accounting For Most Losses
More than $1.63 billion in crypto asset was pilfered in the first quarter of 2025, with an astonishing 92% of the total attributed to the massive Bybit breach in February, as reported by distributed database protection firm PeckShield.
While January saw $87 million in losses, February experienced an unprecedented spike to $1.53 billion, including further assaults on Infini, zkLend, and Ionic.
Conversely, March offered some respite, with losses related to hacks plummeting dramatically to $33 million — a 97% decrease from February. Some of the stolen assets were also retrieved, providing a partial relief for affected individuals and platforms.
DISCOVER: Top Meme Token ICOs for Investment in April 2025
Join The 99Bitcoins Announcement Discord Here For Up-to-Date Crypto market Insights
Key Insights
- Kaspersky alerts about malware disguised in counterfeit Microsoft Office add-ins crafted to filch crypto by hijacking copied crypto wallet addresses.
- The malware, referred to as ClipBanker, also retrieves user information and circumvents detection by erasing itself when antivirus software is discovered.
- Over 90% of the victims were Russian users, prompting Kaspersky to recommend downloading software only from official and trusted platforms.
The article Deceptive Microsoft Office Extensions Employed To Distribute Crypto-Thieving Malware, Kaspersky Warns first appeared on 99Bitcoins.
