CRIL Uncovers ClipXDaemon: Autonomous Linux Clipboard Hijacker Targeting Cryptocurrency Transactions

Cyble Research and Intelligence Labs (CRIL) today released findings on ClipXDaemon, a newly identified Linux malware strain designed to hijack cryptocurrency transactions by manipulating clipboard data in X11 environments. The malware represents a shift in financially motivated Linux threats, operating autonomously without command-and-control (C2) infrastructure while silently replacing copied cryptocurrency wallet addresses with attacker-controlled addresses in real time.

As cryptocurrency adoption continues to grow among developers, traders, and enterprise users, threat actors are increasingly targeting Linux-based systems and workflows. ClipXDaemon demonstrates how attackers are evolving their techniques to exploit everyday user actions such as copying and pasting wallet addresses during transactions.

“ClipXDaemon reflects an emerging class of autonomous Linux malware designed for direct financial monetization,” said a CRIL researcher at Cyble. “By eliminating the need for command-and-control communication and relying solely on local clipboard manipulation, this threat significantly reduces its network footprint and increases the difficulty of detection.”

Key Findings ...