Waspada! malware pencuri kripto berkedok ekstensi microsoft office, Beware! Crypto-stealing malware disguised as Microsoft Office extension

Beware! Crypto-stealing malware disguised as Microsoft Office extension

In the ever-evolving digital world, cyber security threats are becoming increasingly sophisticated.

One of the latest detected modes of attack is the spread of cryptocurrency-stealing malware through fake Microsoft Office extensions.

Cybercriminals exploit these extensions to inject malicious software into users’ systems, with the primary goal of stealing their crypto assets.​

Modus Operandi: Fake Extensions with Hidden Malware

According to information from Coinvestasi, cybercriminals upload fake Microsoft Office extensions to software distribution sites like SourceForge.

One of the identified malicious extensions is called “officepackage”, which appears to be an official Microsoft Office add-in.

However, behind its legitimate-looking interface, it hides malware known as ClipBanker. This malware works by replacing the crypto wallet address copied to the clipboard with the attacker’s own address.

Most crypto wallet users usually copy wallet addresses rather than typing them manually. If a device is infected with ClipBanker, funds could unknowingly be sent to a completely different address.​

Disguise Tactics: Mimicking Official Developer Pages

These fake extension pages are designed to resemble official developer tool websites, complete with download buttons and Microsoft add-ins.

In fact, these pages can even appear in search results, increasing the chances of users falling victim.

Some of the downloadable files are extremely small—unusual for Office applications, even when compressed.

Other files are intentionally filled with junk data to make them appear as genuine installers.

Also read:

How the Malware Works: Stealing Data and Avoiding Detection

In addition to stealing crypto, this malware also transmits information from infected devices—such as IP addresses, country, and usernames—to the attacker via Telegram.

ClipBanker also has the ability to detect if it has already been installed on the same device or if antivirus software is present, and will automatically delete itself if necessary.

This attack isn’t solely focused on stealing crypto assets. Access to infected systems can be sold to other malicious actors who may pose even greater threats. The malware also includes crypto mining capabilities as part of its scheme.

Primary Target: Russian-Speaking Users

The program interface is in Russian, indicating that the primary target of this attack is Russian-speaking users.

Data shows that 90% of potential victims are from Russia, with 4,604 users reported to have been exposed to the malware between early January and the end of March 2025.

Preventive Measures: Only Download from Trusted Sources

To prevent similar incidents, it’s crucial for users to only download software from official and trusted sources.

Pirated software or alternative links are highly vulnerable to carrying malware. The distribution of malware disguised as pirated software is nothing new.

When users seek download methods outside of official sources, cybercriminals offer their own versions. They continually find new ways to make their pages appear legitimate.

With cyber threats like these on the rise, user awareness and vigilance are key to protecting digital assets.

Simon Strong

Simon Strong is a forward-thinking innovator specializing in cryptocurrency, blockchain, NFTs, metaverse, and Web3 technologies. With a passion for exploring the limitless potential of decentralized systems, Simon combines technical expertise with a clear vision for the future of digital innovation. His articles aim to educate and inspire, bridging the gap between emerging technologies and everyday users. Beyond writing, Simon enjoys delving into the transformative possibilities of a connected, decentralized world.

Similar Posts