Hackers Use Fake Office Add-ons to Steal Cryptocurrency
Date: 2025-04-10 Author: Henry Casey Categories: BUSINESS
Kaspersky experts have reported a new attack scheme in which hackers disguised malware as legitimate extensions for Microsoft Office. To spread the threat, they used the popular SourceForge platform by uploading a project called officepackage. The project description offered useful add-ons to the office suite, allegedly copied from GitHub.
The user who followed the link was shown an extensive list of Office programs with the option to download. However, installing such programs led to the launch of malicious processes. After launching the modified installer, a connection was made to the attackers' remote server. Then, a miner was quietly introduced into the victim's system, as well as ClipBanker, a malware that monitors the clipboard and replaces crypto wallet addresses. As a result, the cryptocurrency intended for the legitimate recipient is redirected to the attackers' address.
According to Kaspersky, this malicious campaign primarily targets users from Russian-speaking countries. At least 4,604 users have been confirmed to have been affected by the attack, and about 90% of them are located in Russia.
After many Microsoft services stopped working in the country, official access to Office products was limited. This led to the growth in popularity of alternative platforms for downloading software. Sites like SourceForge are perceived by users as more reliable than random sources, which allows attackers to disguise malware as supposedly safe.
Kaspersky emphasizes: downloading software from unverified sites is always associated with serious risks. In a situation where the official source is unavailable, it is especially important to be aware of possible threats and be careful when choosing alternatives.
Earlier, in March, experts from Threat Fabric reported on a similar threat - a Trojan virus targeting banking applications and cryptocurrency wallets on Android devices.
