A newly discovered Linux malware named ClipXDaemon has emerged as a direct financial threat to cryptocurrency users in X11-based desktop environments.
Unlike conventional malware that depends on command-and-control (C2) servers for instructions, ClipXDaemon operates entirely on its own — silently monitoring the clipboard every 200 milliseconds and replacing legitimate wallet addresses with attacker-controlled ones.
Once deployed, it runs entirely on the victim’s machine with no network beacons, no remote commands, and no external infrastructure of any kind needed.
The malware surfaced in early February 2026 through a loader structure previously linked to ShadowHS, a Linux threat documented in January 2026 that deployed post-exploitation tools against server environments.
Both campaigns share a staging wrapper built with bincrypter, a publicly available open-source shell-script encryption framework, but their payloads are operationally very different.
ShadowHS targeted servers, while ClipXDaemon goes after Linux desktop users who copy and paste cryptocurrency wallet addresses during everyday transactions.
The shared use of the same obfuscation tool reflects a growing trend of attackers reusing open-source utilities to cut development costs and complicate attribution, rather than any shared authorship.
Cyble analysts identified the malware and named it ClipXDaemon, noting that it targets eight cryptocurrency formats — Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON.
Wallet regex patterns and replacement addresses are encrypted inside the binary using ChaCha20 stream encryption, shielding them from static analysis.
Active replacement wallets were confirmed for six assets during dynamic analysis, while TON and Ripple appeared monitored only, with no replacement addresses observed. At the time of analysis, the ELF payload went entirely undetected on VirusTotal.
.webp)
What distinguishes ClipXDaemon most is the complete absence of any network activity.
The binary carries no embedded IP addresses or domains and never initiates DNS queries, HTTP connections, or socket communication, making traditional network-based defenses completely ineffective.
There are no servers to seize, no traffic to analyze, and no infrastructure to dismantle.
Monetization occurs at one precise moment: when a victim pastes a copied wallet address, the malware silently swaps it with an attacker-controlled one before the transaction confirms — a substitution that most users fail to notice until their funds are already gone.
A Three-Stage Infection Chain Designed to Hide
ClipXDaemon arrives through a three-stage infection chain built to leave minimal traces.
The process begins with a bincrypter-generated encrypted loader, which stores an encoded payload inline, decodes and decrypts it using AES-256-CBC.
.webp)
Besides this it decompresses it via gzip, and executes the intermediate dropper directly through a /proc/self/fd file descriptor — never writing the decrypted stage to disk.
.webp)
The dropper decodes an embedded 64-bit ELF binary and writes it to a randomized filename under ~/.local/bin/.
.webp)
It then appends the payload’s execution to ~/.profile, creating login-triggered persistence with no root access, cron jobs, or system services required.
Once active, the payload checks whether the Wayland display server is present and exits immediately if detected, since Wayland restricts the global clipboard access that X11 allows.
With X11 confirmed, it performs a double-fork daemonization sequence and renames its process to kworker/0:2-events using prctl(PR_SET_NAME), mimicking a kernel worker thread to avoid suspicion in routine process listings.
It then polls the clipboard every 200 milliseconds, and when a copied string matches one of eight encrypted cryptocurrency wallet patterns, the implant silently replaces the clipboard content with a hardcoded attacker wallet address before the paste operation completes.
Linux and cryptocurrency users should prioritize migrating from X11 to Wayland wherever feasible, as Wayland blocks the global clipboard scraping ClipXDaemon relies on.
System administrators should audit changes to ~/.profile and ~/.bashrc, flag new executables inside ~/.local/bin/, and investigate any background process with a kernel-thread name running under a non-root user account.
Behavioral EDR controls should alert on ELF binaries executed via /proc/self/fd, double-fork daemonization from user shells, and high-frequency clipboard polling from background daemons.
Users should manually verify every wallet address before confirming a cryptocurrency transfer and strongly consider hardware wallets that display recipient addresses independently from the host system.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
