Fake Microsoft Extensions Embed Malware to Steal Crypto: Report

According to a new report by Kaspersky’s Anti-Malware Research Team, cybercriminals are now hiding crypto-stealing malware inside fake Microsoft Office extension packages hosted on SourceForge.

The campaign, which primarily targets Russian users, uses a deceptive package called “officepackage” to lure in unsuspecting victims.

🚨 Kaspersky warns of crypto-stealing malware hidden in fake Microsoft Office add-ins.

Malware dubbed "ClipBanker" swaps wallet addresses in your clipboard with the attacker’s.

Hosted on SourceForge, disguised as legit Office tools.

Stay safe. Don’t sideload. 🛡️#Crypto… pic.twitter.com/iCPEzzLVis

— FutureChain Insights(✸,✸) (@Vito24all) April 9, 2025

Kaspersky’s investigation reveals that these fake downloads cleverly bundle legitimate Office add-ins with a sinister extra, ClipBanker malware. Once installed, ClipBanker silently monitors the user’s clipboard for cryptocurrency wallet addresses.

When a user copies their wallet address, say, to make a transfer, the malware instantly swaps it out with the attacker’s address, then Crypto funds end up in the wrong wallet, and the user is none the wiser until it’s too late.

How the Malware Operates

What makes this malware especially dangerous is how well it hides in plain sight. The Kaspersky team points out that some of the infected files are suspiciously small—an immediate red flag, as genuine Office installation packages are typically much larger.

In some cases, attackers even pad these files with useless data to make them look more legitimate. It’s a smart move, designed to trick users who may not pay close attention to file sizes or sources.

Once active, the malware wastes no time. It not only hijacks clipboard data but also sends sensitive device info, like usernames, IP addresses, and geolocation, back to its creators using Telegram. 

The malware is even programmed to check for antivirus software or whether it’s already installed; if either is detected, it self-destructs to avoid exposure.

Beyond clipboard hijacking, the malware may also deploy a crypto miner to siphon off processing power for mining digital currency. But it doesn’t stop there, Kaspersky warns that attackers could sell access to infected systems, opening the door to more dangerous threats down the line.

Why Download Vigilance Matters

This attack shines a spotlight on a growing issue: the exploitation of open-source software platforms like SourceForge. Because these repositories are open to the public, they can become breeding grounds for malicious uploads disguised as legitimate tools.

Kaspersky reported that between early January and late March, 4,604 users encountered the infected software. The bulk of the victims so far are in Russia. The interface of the fake installers is in Russian, suggesting a targeted campaign. Still, with SourceForge accessible worldwide, the threat is anything but local.

To stay safe, users are urged to avoid pirated or unofficial software and stick to trusted sources. As Threat Fabric recently noted on March 28, 2025, cybercriminals are constantly evolving—leveraging convincing fake websites, pirated apps, and overlays to trick even experienced users.