Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
ClipXDaemon is an autonomous Linux clipboard hijacker malware that targets cryptocurrency users operating in X11 desktop environments. First detected in February 2026, ClipXDaemon is delivered through a bincrypter-based encrypted loader and monitors clipboard contents every 200 milliseconds, specifically targeting cryptocurrency wallet addresses. The ClipXDaemon malware replaces copied cryptocurrency wallet addresses with attacker-controlled alternatives, redirecting cryptocurrency transactions to wallets controlled by the threat actors behind this campaign.
ClipXDaemon operates entirely without command-and-control infrastructure, representing a novel autonomous approach to cryptocurrency theft that monetizes victims directly through manipulated wallet addresses during cryptocurrency transactions. The malware targets a wide range of cryptocurrency platforms including Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON, making it a significant threat to the global cryptocurrency industry.
The ClipXDaemon attack chain begins with an encrypted shell-script loader created using bincrypter, an open-source tool for protecting shell scripts. During ClipXDaemon execution, the payload is decoded from base64, decrypted with AES-256-CBC, decompressed with gzip, and executed directly from memory, ensuring that decrypted components never touch the disk and evading traditional static inspection methods. Once active on X11 systems, ClipXDaemon detaches itself and disguises its process name to resemble a kernel worker thread, making the malware less noticeable in process lists while continuously monitoring clipboard contents for cryptocurrency wallet addresses to hijack.
In early February 2026, security researchers identified a new Linux malware strain named ClipXDaemon. The malware spreads through a multi-stage infection chain that begins with an encrypted shell-script loader created using bincrypter, an open-source tool for protecting shell scripts. The ClipXDaemon loader contains an encrypted payload hidden inside the script that remains obfuscated until execution. During ClipXDaemon execution, the payload is decoded from base64, decrypted with AES-256-CBC encryption, decompressed with gzip, and executed directly from memory.
Because the decrypted ClipXDaemon components never touch the disk during the infection process, traditional static inspection and file-based antivirus detection becomes significantly more difficult. The ClipXDaemon loader’s structure resembles techniques used in earlier ShadowHS campaigns, though no confirmed link has been established connecting ClipXDaemon to the ShadowHS threat actor group.
After running the encrypted loader, the ClipXDaemon in-memory dropper prints a harmless-looking message to appear legitimate to any user who might observe the execution. The dropper then decodes an embedded ELF binary and writes the ClipXDaemon payload to disk using a random filename composed of several characters followed by numbers. The ClipXDaemon file is placed in a normal user directory such as ~/.local/bin/, avoiding the need for administrator privileges and blending in with ordinary user programs.
The ClipXDaemon dropper marks the file as executable, launches it quietly in the background, and adds a command to ~/.profile that ensures the ClipXDaemon program runs again during future user login sessions, establishing persistent access to the compromised system across reboots.
The installed ClipXDaemon payload is a 64-bit Linux program linked to X11 libraries. Upon execution, ClipXDaemon first checks whether the compromised system is using Wayland display server protocol. If Wayland is detected, the ClipXDaemon program stops immediately because Wayland’s security architecture prevents global clipboard monitoring, rendering the malware ineffective on Wayland-based Linux systems.
On systems using X11 desktop environments, the ClipXDaemon malware detaches itself from the terminal and disguises its process name to resemble a kernel worker thread using process name manipulation techniques, making ClipXDaemon less noticeable in process lists and evading cursory system administrator inspection.
Once active on X11 systems, the ClipXDaemon program repeatedly checks the system clipboard every 200 milliseconds using X11 selection APIs for continuous monitoring. ClipXDaemon scans clipboard text with encrypted patterns specifically designed to recognize cryptocurrency wallet addresses, including formats for Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON cryptocurrency platforms.
When a matching cryptocurrency wallet address appears in the clipboard, the ClipXDaemon malware immediately replaces the clipboard contents with an attacker-controlled address corresponding to the same cryptocurrency type. ClipXDaemon quietly takes ownership of the clipboard through a hidden window and returns the substituted address when the user pastes the data into their cryptocurrency wallet application or transaction form.
The ClipXDaemon program contains no command-and-control communication capabilities, sends no network requests, and holds no hardcoded server addresses. Profit from ClipXDaemon operations occurs only if a victim unknowingly pastes the altered cryptocurrency address and completes a cryptocurrency transfer to the attacker-controlled wallet. Because ClipXDaemon operates without external infrastructure or network communication, detection depends primarily on analyzing behavioral patterns on the infected system rather than monitoring network activity for command-and-control traffic.
Implement application control policies that prevent or alert on execution of binaries from user-writable paths such as ~/.local/bin/ on Linux systems. This disrupts the ClipXDaemon malware’s deployment strategy of dropping payloads into userland directories that blend with legitimate binaries, providing an effective preventive control against ClipXDaemon infections.
Continuously monitor modifications to ~/.profile, ~/.bashrc, and other user-level autostart files on Linux systems. Establish baselines for these files and alert security teams on any unauthorized changes, as ClipXDaemon establishes persistence by appending execution lines to ~/.profile that launch the malware automatically upon user login.
Deploy endpoint detection rules that identify processes with kernel-thread naming conventions such as “kworker/” running under non-root user contexts. Correlate prctl(PR_SET_NAME) system call modifications with suspicious execution ancestry to detect the process masquerading techniques used by ClipXDaemon to disguise itself as a legitimate kernel worker thread.
Since ClipXDaemon operates without network communication, traditional network security controls are ineffective against this threat. Prioritize endpoint detection and response (EDR) solutions capable of behavioral analysis on Linux systems, focusing on clipboard access patterns, process genealogy anomalies, and unauthorized file creation in user directories to detect ClipXDaemon infections.
Deploy file integrity monitoring (FIM) solutions that track changes to user shell initialization files such as ~/.profile and ~/.bashrc on Linux endpoints. Unauthorized modifications to these files should generate high-priority alerts for security investigation, as ClipXDaemon modifies these files to establish persistence on compromised systems.
Execution:
Persistence:
Defense Evasion:
Discovery:
Collection:
Impact:
Ethereum Wallet Address:
Monero Wallet Address:
Bitcoin Wallet Address:
Dogecoin Wallet Address:
Litecoin Wallet Address:
Tron Wallet Address:
File Paths:
SHA256 Hashes:
Get through updates and upcoming events, and more directly in your inbox