Rust Crypto Clipper Uses Ghost Networks on VirusTotal and SourceForge to Target Solana Snipers

Check Point documented coordinated five-star comments on VirusTotal, 44,485 SourceForge downloads with 37,460 listed as Android despite no mobile build, and a YouTube channel posting AI-narrated tutorials since July 2020. The clipper monitors clipboard for wallet regex patterns and replaces them from a hardcoded attacker list. Evidence shows the same accounts cross-posting across GitHub, SourceForge, and news syndication sites, creating a closed reputation loop rather than organic adoption.

Prior campaigns such as the 2023 EvilExtractor and 2024 Lumma Stealer distribution rings used similar review farms but stopped at GitHub stars. This operation adds EIN Presswire syndication into USA TODAY Network properties and VirusTotal comment flooding, a step that bypasses both platform heuristics and user verification. The pattern indicates attackers now treat trust signals as programmable infrastructure.

The targets—crypto traders seeking sniper bots and crash predictors—are high-velocity wallet users who copy addresses frequently. Once installed the malware runs silently with no persistence artifacts beyond the address list. Independent researchers have not yet published YARA rules or wallet-cluster analysis, leaving the scale of drained funds unknown.

Next indicators will appear in fresh VirusTotal submissions showing identical comment phrasing and new GitHub repos with rapid star counts above 100. Wallet address reuse across the hardcoded lists will surface in on-chain tracing within 60 days.