Bitcoin Forum

A newly evolved Clipper and a keylogger called “BunnyLoader”. And we all know that there are a lot of variants of keylogger and clipboard malware that replaces crypto currency wallet with that to a wallet address that this criminal controls. This malware has undergone some transformation already, and it's very clever to see that it will test if your system runs on sandbox and usernames. So the Clipper looks for cryptos:

https://www.talkimg.com/images/2023/10/04/PiMXJ.png

Also looks for this information to steal:

https://www.talkimg.com/images/2023/10/04/PimzC.png

So it's very important for us crypto enthusiast to learn how to protect from this kind of malware. We need to install the latest anti-virus, and not just to download any crack softwares as this is where this criminals exploited their victims. When we thought that we can get free softwares, but we don't know that the criminals have laded it with a lot of malwares and we will only know until it's too late. And for the Clipper capability of this malware, we should check the details of the addresses that we are going to send to, make sure everything is correct so that we will not be a victim here. And obviously, do not click any links like in our email, maybe it doesn't look suspicious at all, but if we don't know the source or even know the source, we should be very very careful.

https://www.zscaler.com/blogs/security-research/bunnyloader-newest-malware-service

Security consciousness is the first thing everyone of us here should hold firmly, because the more we tryna make things better for us that's the same way hackers are working hard to reduce our efforts. My most serious concern is the fact that the author Poker BL confirm it, to be a fileless loading feature that "makes it difficult for the antiviruses to remove the attackers malware. Which means it might have been in action in ours machines without our notice, so what then can we even do to stop it?. It's really depressing to find this kind of information that your investments or credentials are at risk using your browsers, and most times we can't even avoid using this browser because they are still very important at same time.
Well, thank you for this information because it has created an awareness in us.

The article doesn't seem to indicate how the malware is spreading, but the threat library (https://threatlibrary.zscaler.com/?threatname=win32.downloader.bunnyloader) provides entries that reference the initial access being made (or perhaps, likely made) through either a spearphishing attachment (https://attack.mitre.org/techniques/T1566/001/) or a spearphishing link (https://attack.mitre.org/techniques/T1566/001/), some of the most common forms for spreading malware.

Side note:
Using a hardware wallet does not exempt one from being a potential victim to clipboard malware, as some people believe. Though the screen of the device will show you the address you are going to send the TX to, and you can (and should) contrast that against your intended address, you need to check against the original intended address, not the address you copied and pasted on the wallet interface (clipboard malware can change the address between the address you copied, and the pasted address on the wallet’s interface – i.e. Trezor Suite or Ledger Live).

Thanks for bringing this useful information in front of us, I mean hackers are now breaking their limits with such upgradation, but to be honest I am really disappointed to see that they are only selling it for $250 dollars. That's too low. And those who will become victims, who know how much loss they are going to make.  :P

Overall, the working mechanism of this tool is straightforward, and if they are attacking the above wallets then I am safe Because using none of them (Well this also can be used to filter my address by hackers if they are here on BTT using this tool  ;D )

What pre-cautions should we take besides just not clicking on doubtful emails?

Bunny loader is basically a trojan that is highly rated for its potential to cause damage to victims based on its nature which is capable of extracting almost everything from your device from keystrokes, browser history, auto-fill details, cookies, and also with the ability to replace the data like wallet addresses.

As you said it mostly affects the system via emails pretending to be one of the services they are already using or random downloads from unknown websites. But it seems highly undetectable as per many cyber security experts and can stay unnoticed forever so the best possible solution is to stay away from downloading it in the first place.

Here is an article that explains how can we manually remove the Bunny loader - MaaS

How to remove BunnyLoader from the operating system (https://www.pcrisk.com/removal-guides/27955-bunnyloader-malware)

I think the group wanted to impressed in the beginning, that's why they are selling it for a cheap price. But as reported, there are upgrades already and it will be upgraded again and again.

The moral lesson here is that everyone is vulnerable, no one should think that everyone is safe because you really don't know the extent this cyber criminals can do specially with this kind of weapons. They can even control everything from their command and center (C&C) and monitor what they are doing in your own device. This posts by @LoyceV is very helpful as well with regards to Clipboard malware, How to lose your Bitcoins with CTRL-C CTRL-V (https://bitcointalk.org/index.php?topic=5190776).

This is very important to take note that such attack had been existing before now, this should be a reminder as well that they ain't stopping in this kind of operational mode to attack others and steal their bitcoin, i remember one of the main threads that also introduced how one can loose his bitcoin through ctrl c and ctrl p https://bitcointalk.org/index.php?topic=5190776.0 if we are aware of this kind of malicious attack, we will always stay safe and be unaffected following both recommendations that prevents one from such attack.

Installing the latest antivirus software is a poor advice and may be provided by some technical articles, but antiviruses update their database periodically, which means that there may be viruses that are not present in the database, which gives high probability false positive reports.

Using hardware wallets or open source wallets will not change anything here, but rather:

 - Do not install applications that you do not trust.
 - Check the title completely, or at least the first and last 8 characters.
 - Make sure everything is correct before broadcasting the transaction.

I would not say that this is bad advice, especially if it is a premium AV that updates its database of antivirus definitions several times a day and has good heuristic analysis that can detect viruses/malware even if it is not in the definition database. However, as far as I remember from some previous discussions, clipboard malwares usually cannot be detected using AV, although I don't know if anything has changed in that regard.


Today it is hard to believe that an app is reliable (trusted) unless it is an app that has millions of downloads and it is possible to verify it before installing it. Even if it is in one of the legitimate app stores, it does not mean that we should consider it 100% safe - and what can we say about those cracked apps that are downloaded via torrents or various suspicious websites.

In much simpler terms, if you know how to behave online, have a solid AV/firewall and don't use cracked software, the chances of picking up something like clipboard malware are very low or none.

Yes, this kind of attacks won't top, and on the contrary, they will continue to developed more clipboard malware that is more advanced that the previous one. So very difficult to caught this if our machines are infected already. And I remember that when this kind of malwares are first spotted, there are several members here who reported and fall victims.

And so we already know this kind of attacks and hopefully this is a reminder that this malware is still in existence and so we shouldn't forgot to check everything before sealing our transactions because once is done, we can't revert it back.

I do agree that anti-virus is not going to detect every malware, especially the newly created ones but for a layman there is no better tool than anti-virus to tackle their cyber security, at least it will be able to detect the known malware.

To protect our crypto assets we can be careful to some extent but these kinds of apps are getting more advanced and I read it is capable of even remote commands so once a system is affected there is a possibility of losing our crypto funds even without any action from our side.

Cybersecurity is the biggest concern of the 21st century, but most people still use Windows, which is at least security-resistant when it comes to avoiding attacks. So, the first thing we should do is install Linux because it offers enhanced security features and greater control over system vulnerabilities, making it a prudent choice for those looking to bolster their online defenses.

Clipboard malware is very common nowadays. I had accidentally infected my computer with one of this kind of malware one time. Later had to reinstall windows again, cause I don't use any antivirus software.

Those who are new to this malware, usually confuse the first time. I have seen many accidentally sending their assets without realizing that the original address is replaced with the phishing address. It's pretty sad and dangerous for those who never encountered it. They could loss their entire life savings.

Till now I have seen malware that works as replacing the address. But now that I see, they are programmmer with additional features like stealing saved passwords, I'm a little concern. It's a huge treat for us.

Those who are prone to this type of malware are the ones who keep on downloading from unknown sources on the web and download random files that aren't verified. While it is a good measure to have an anti-virus, the best form of anti-virus is being informed and aware of the potential risk upon downloading files that you're not aware of. Like what we're saying, "prevention is better than cure" and it's also applicable to this. We don't need to wait until our devices are infected by it but avoid any forms of red flags that are likely to get you malware like bunny loader. A usual practice before doing a transaction is not to be lazy checking the address if it's correct or not, and don't get tired of reading each character, letter, and number before pressing the send button. It sounds simple but will help you verify and avoid making a mistake.

I find this pieces of information very helpful and useful. Scammers are never tired of doing the unbelievable. On daily basis, they develop new strategy and gimmicks lurking around to be real with ill intentions of undoing unsuspecting individuals. It takes a smart  person to decipher their codes and know what they are up to this time around as they are now heavily sophisticated with their upgraded techniques of operating. Could it be possible that this could occur by just opening a mail?

It is still very important to update our anti-virus, of course its a game for this cyber criminals, they created new variants of their malware/virus try to spread to to many forms and once the anti-virus company get ahold of this, they will study and make it to their database.

Linux or any other flavor of Unix per se, it might be good as a detrimental or to some extend some IOS device too. As they are target least by this cyber criminals as compare to Windows which is like 80% of laptop/pc users are under this operating system.

Try to delete all cookies after you visit the Internet, and set a time after which the session will automatically end if you are inactive. Sometimes hackers can recover session IDs from cookies and, from there, get user passwords and gain full control of the computer. You won’t even know who can surf the Internet with you at the same time if a hacker adds a RAT (remote access Trojan) to your computer. In addition, check the files that are added to your startup. Although, of course, we know that viruses are now hidden under popular processes in the Windows system, you can track the folder in which they may be located.


If you open an attachment that is in an email, it is almost always guaranteed that your computer will be infected. This will not happen if you simply open an email. Never click on links.

Of course, Its just a marketing technique to sell a product in cheaper amount at start and when it starts to make scammers some money then they will of course increase the prices. I was just thinking, that if this tools really works in a efficient way that the sellers said, then why bothering to sell others and not using it by themselves.

Ok, I got it, they want to divert or distribute the interest of authorities (I mean when there will be more users of this tools <--Buyers). In simple words, they want to stay off the radar. But what other than this.

Thanks for mentioning the thread, it was really a good reminder but I was already aware of such attacks knows as Address poisonings attacks and that's why whenever I send money from one to another address, I totally check the letter one by one. Because it only take few seconds to verify it, and it is far better than regretting later.

Frequently, I use my mobile phone to carry out transactions, and I have not experienced any of these clipboard malwares on my phone. Although I know that there are malwares attack here and there, I am always careful about the sites I visit and things I download on my phone. Last month I came across a thread where the OP was warning users against downloading any keyboard app on their mobile because most of those keyboard apps contain malware, and anyone who is not just familiar with the space can easily fall victim. My PC is protected with strong anti-virus software (TotalAV), and I have not experienced any clipboard issues on the PC. I know that since I first heard about the clipboard virus, I have always been careful because I don't want to be a victim and lose my asset to those hackers.

Yes there are people that actually get lucky not to this things caught but do not be too certain on things like this. Even with the latest or strong anti-virus they can still get caught and the bad thing is even you wouldn’t easily find out that you have got caught. The best thing is to try as much as possible to avoid downloading just any application and one should check their transactions details like the address properly before broadcasting them. And if you have much funds try to get them off online wallets, don’t get too comfortable with them because hackers can strike where you list expected them

Being careful is great. It's how we can avoid exposing ourselves to these malwares and other possible attack vectors. As long as you're careful about what links you click and what files you download to your devices, you're good to go.  Another note about Antivirus programs is that they can only provide you so much security which is why Antivirus is not a hot topic in security discussions these days. It's nice to have though.

For keyboard apps, it might be true. As a matter of fact, Apple doesn't let users to use 3rd party keyboards when it comes to entering sensitive details like passwords, keys, etc.

Since my thread on clipboard virus and many other viruses which have been discussed before the one I letter brought to this forum, I have seen that this hackers or group of hackers are not just ending their scamming schemes they are doing everything within them to upgrade their tools and make sure they are prepared for which ever tools that people are using to protect them self from being victim of their hack.

This one they have gotten to a stage where some of the virus are not even being detected by most of our highly recommended antivirus has proven that the hackers have upgraded beyond measures, with or without using any anti virus we all just have to be careful on with what we click on our system that we use for our crypto wallet as that’s their major target.

If it’s even possible one should just have one device aside for just crypto wallet and and other ones which can be use to run any online actives and erra because we can’t really tell where most of this virus are coming from unless for the source which has already been discovered and identified we don’t know where else their malicious link could be found.

If those Antivirus softwares are not updated fast enough to deal with newest viruses, they will have to base on old data and scanning with them potential results in false negative report. That if we trust on false negative report from those softwares and think our devices are clean, we can lose our coins.

The biggest fear and threat is losing coins directly by a device and wallet compromise.

Checking some first and last characters of a Bitcoin address is a good practice.
How to lose your Bitcoins with CTRL-C CTRL-V (https://bitcointalk.org/index.php?topic=5190776).

Years ago, online services don't have the reminders for their users but recent years, it becomes a mandatory step when you submit a withdrawal request to an exchange. Spending a couple of seconds to check some characters is worthy to do and help us to avoid loss.

It's very easy to spot it.
Make sure you make double checking everything into a habit.

Good builder always repeats this like mantra: measure twice, cut once. You do the same with your transactions, double check then press the button. So, after pasting the address I read it and compare to the original. If I see a change that's a red flag. I haven't had that keylogger yet but if I ever spot it I'll stop right there, disconnect my network cable, run anti virus software, then change all the recently used wallet passwords in offline mode.

If you can afford it, get yourself a separate laptop for your less safe activities. Like downloading pirated movies and software. Especially for late-hour XXX adventures. Keep such stuff away from your main devices so even if something happens, you can easily recover. 

That's correct in theory but has anyone ever seen it in practice? Do we have a documented case where a user saw a different address in his Trezor Suite or Ledger Live compared to the information that was later displayed on the hardware wallet screen?

I seriously doubt it. Such malware is associated with attachments or links where you automatically download and install it in the background. Opening and reading phishing emails or social engineering scams won't infect you. But that doesn't mean you should do it because it increases the possibility that you could click on something in those emails.

I was really aiming at prior step in the chain though in my comment, which would seem more like a potentially feasible situation one may encounter, and that having using a hardware wallet should not exempt the user from being cautious about.

Say someone wanted to pay in bitcoin for a given service/item on a certain ecommerce site. The site will show an address (A), and the user may copy/paste the address from the site to Trezor Suite/Ledger Live (B) wallet interface. Then he’ll use his hardware wallet (C) to generate the payment transaction.

In this scenario, a clipboard malware could change the address copied in step A in such a way that the pasted address value in step B is now different (i.e. the malicious actor’s address). The user may happily compare the (now malicious) address shown in step B with that of the hardware wallet’s address in step C, see they’re the same, and happily sign the payment TX. What I wanted to stress is that one really needs to compare the address on the screen (step C) with the original address back in step A (the seller’s provided address), and not (just) B.

Interesting, good thing that you posted this one here making a lot of members here in the Forum about this one, It a pretty interesting malware looking for information that is actually related to cryptocurrency, there are for sure some obvious things here like credit cards, download, history, password, autofill data. I mean you would really save something like that on a computer even though it is for sure your personal computer, because of something like this because now if the hacker is able to gain access to your computer they could easily access this information as well where it could easily lead to getting hack and losing your money.

I mean if you actually know what you are doing this hacker cannot really access your computer since this malware needs to run first and if you dont really download anything that is suspicious for sure there was nothing to worry about, so just avoid downloading things that is not really trusted like, for example, your going to download a file from a really suspicious website, or download a file that is sent by an unknown email on your email account or downloading crack games, this files might contain malware, virus, etc. that could easily wipe your cryptocurrency, you could for sure buy a cheap laptop where you're only going to use it for cryptocurrency to avoid this.

I am afraid of this malware. The problem is we don't know when these malware affect our machines until we notice the changes of address. Most of us do not double-check the address before we send the crypto to the destination. I wonder how this malware enters the system. Do these malware get downloaded with other programs? Let's say I did not download any program or file in the last couple of months, do I still have the possibility to get affected? Can those malware get into my machine just by visiting some random links? If this malware cannot get into a PC without downloading any program, then it's a relief. Otherwise, it's a big threat as we always click random links.

You should always compare the address on the hardware wallet screen to the address of the source. In your example, the source is the ecommerce site, not the Trezor Suite/Ledger Live software. If those addresses match, you are good to go. The one problem that could still arise is that the source displays a wrong address, but in that case, it's their mistake and you just sent money where they told you to. 

I know that I do, multiple times. If you belong to the group that doesn't do it, you better change for your own good. One slipup and your coins are gone.

I know I have to be careful with it. These things are habits. If someone is concerned about their security, they always double-check these things before performing actions. Usually, I do not check does not mean I always do not check. I check sometimes, but I have to be careful with it.

Did you read the other part of my post? I want to know how can I escape this malware. How they get into the system. I will have to do some research if I do not get any reply here. Usually, I click on random website links provided by forum members, social media people, and friends.

I saw it but I don't know how people get infected. I treat everything I am unsure of as a potential threat and it has helped me to protect my devices from malware of all kinds.

I can only advice you to stop. That's one way how to get infected with something. Limiting your curiosity helps you be safe online. If the links and messages come from friends, it doesn't mean they are safe. Those friends might not wish you any harm, but they too might have been infected with something that is now spreading by itself. Try to apply as much common sense as you can to anything you do online and think twice before doing something.