Pure Clipper Malware

Fileless Pure Clipper Malware: Italian users in the crosshairs

Key Takeaways

  • A Threat Actor (TA) was observed using a Tor Browser phishing website to target Italian-speaking users.
  • The executable, downloaded from the phishing site, is a .Net binary obfuscated with SmartAssembly. It acts as a dropper, deploying both a legitimate Tor Installer and the malicious “Pure Clipper” payload.
  • Pure Clipper was developed by the same TA who was behind PureLogs.
  • Alibaba2044, a threat actor (TA) known for multiple instances of targeting Italy, was previously identified using PureLogs in their spam campaigns during 2022. We believe that the same TA could be behind this operation as well.
  • This TA has used PureCrypter as a loader and a crypter for the Clipper payload. It utilizes a fileless malware technique by storing its binary data in the Windows Registry, enhancing its stealth and persistence.
  • The creation of a Task Scheduler entry ensures the malware’s continuous operation in the background, running a Base64-encoded PowerShell script to retrieve and execute the binary data stored in the Registry.
  • The clipper interacts with the Command and Control (C&C) when a user copies or pastes a cryptocurrency address. It swaps the address with the attacker’s address and captures a screenshot, sending both addresses and the screenshot to the TA’s Discord webhook for exfiltration.
  • Additionally, Cyble Research and Intelligence Labs (CRIL) also encountered an incident in which a TA employed this phishing site to target fellow TAs within a cybercrime forum, using an InfoStealer for their malicious activities.


In a recent investigation, the CRIL found an operation orchestrated by a Threat Actor (TA) through a deceptive phishing site that imitated the official Tor Project website. The TA was spreading Pure Clipper in this operation.

Clipper is a type of malware that’s designed to steal or manipulate cryptocurrency-related data, particularly cryptocurrency wallet addresses. Clipper malware typically operates by monitoring the user’s clipboard, where copied information is temporarily stored. When it detects a cryptocurrency wallet address being copied (e.g., a Bitcoin or Ethereum address), it replaces that address with an address controlled by the attacker. As a result, if the user pastes the manipulated address when making a cryptocurrency transaction, the funds get sent to the attacker’s wallet instead of the intended recipient.

Pure Clipper is created by the same TA known as “PureCoder,” who was behind PureLogs.  PureCoder, the TA behind this software, maintains a website where they actively advertise and sell a range of malicious software programs, catering to diverse cybercriminal operations. These offerings include miners, information stealers, VNC (Virtual Network Computing) tools, and crypters, highlighting the broad spectrum of cyber threats they support.

Pure Clipper is available for purchase on a lifetime subscription model priced at $99. The figure below shows the PureCoder site.

Pure Clipper, Shop
Figure 1 – Pure Clipper Shop

This phishing campaign incorporates various techniques, including droppers, obfuscators, crypters, fileless malware, crypto address theft, and exfiltration via Discord. Notably, the TA specifically targeted Italian-speaking users, as evident from the phishing site’s default language.

This investigation identified a series of notable findings. The TA employed a .NET dropper concealed by SmartAssembly, which included both a legitimate Tor Installer and a PureCrypter binary, which acts as a loader and crypter for the Pure Clipper payload. The Clipper is designed to steal cryptocurrency addresses, interacting with the TA’s Command and Control (C&C) system through Discord. The operation showcased persistence through Registry manipulation and Task Scheduler entries, ensuring continuous background activity.

Further analysis uncovered cryptocurrency addresses, likely linked to the TA, involved in recent transactions, indicating successful receipt of payments from multiple victims. Additionally, a noteworthy development revealed a TA-on-TA attack within a cybercrime forum, where the phishing site was leveraged to deploy an InfoStealer, exemplifying the TA’s aggressive tactics within the threat landscape.


Alibaba2044, a TA known for repeatedly targeting Italy, was previously identified using PureLogs in their spam campaigns throughout 2022. In 2023, researchers from Uptycs reported on a campaign that bore similarities to these earlier activities. These findings raise the possibility that the same TA, Alibaba2044, might be the driving force behind this current operation as well, targeting Italy. The TA’s consistent use of specific tools and tactics suggests a connection between these separate campaigns.

Initial Infection

The initial infection starts with the phishing site hxxps[:]//torprojectdownloadfree[.]site, which impersonates the official Tor Project website. It replicates the site’s design, layout, and content to deceive users. The default language of the phishing site is set to Italian. This site provides an option to change the language, but apparently, upon changing the language, the site gives 404, suggesting that TA could be targeting Italian-speaking users exclusively.

The website offers users the choice to download what seems to be the Tor installer, but it disguises itself as a malware dropper. Rather than installing the genuine Tor software, this site downloads malicious software on the user’s device.

Phishing, Pure Clipper
Figure 2 – Phishing Site

We also came across a post on a cybercrime forum where a Threat Actor (TA) shared a Tor site phishing link: hxxps://torprojectdownloadfree.site/confset.exe. This link is associated with an InfoStealer, suggesting that the TA may have been targeting other TAs on the forum. Upon further investigation, we discovered that this malware payload was hosted on a specific URL and couldn’t be downloaded by merely visiting the phishing site.

Cybercrime forum, Pure Clipper
Figure 3 – Post on Cybercrime Forum

Technical Analysis


The executable downloaded from the phishing site is a .Net binary (SHA256: fbfa233f980042bb92c121e38d9307ef9d48e842fa7c9bda09d9f89479df7771) and has been obfuscated with SmartAssembly, a tool designed for obfuscating .Net files. This executable serves as a dropper, housing two files within its resources, as depicted in the figure below.

Figure 4 – Embedded Files

On execution, it processes files from resources and drops them with the following names in the %temp% directory :

  • torbrowser-install-win64-12.5.3_ALL.exe: Clean Tor Installer file
  • ScHoster.exe: PureCrypter Loader

The figure below shows the WriteFile and Process Create operations performed by this dropper.

Figure 5 – Operations performed by the Dropper

After dropping files in the %temp% directory, it runs the Clean Tor installer file and executes the clipper payload discreetly in the background to conceal its malicious activities from the user. The figure below illustrates the Tor installer.

Pure Clipper, Tor
Figure 6 – Tor Installer

Pure Clipper

First Stage

The initial executable (ScHoster.exe) is a .NET loader designed to handle a GZip-compressed stream that contains a reversed DLL file. It decompresses the data, reverses the byte order, and executes it directly without storing it on disk, as shown in the figure below.

Figure 7 – Decompresses the embedded DLL

The malware employs the Assembly.Load() method to execute the second stage DLL file at runtime. This technique is utilized to maintain stealth. The figure below illustrates the method used for the runtime execution of the DLL file.

Figure 8 – Executes DLL on runtime

The figure below shows the DLL named “Ovsfnx.dll” loaded in runtime.

Figure 9 – Ovsfnx.dll

Second Stage

The second stage DLL (Ovsfnx.dll), is the Pure Clipper payload, which is obfuscated using PureCrypter. PureCrypter is a fully featured loader created by a TA known as “PureCoder.” It has been actively developed and advertised for sale since at least March 2021. PureCrypter is available for purchase on PureCoder’s website with a price tag of $59. This loader is primarily used to distribute various types of malwares, including remote access trojans (RATs), information stealers, etc.

PureCrypter uses obfuscation techniques, such as SmartAssembly, to protect its code and evade detection. It also employs the use of reversed, compressed, and encrypted payloads to make it harder for antivirus engines to identify the malware. The figure below shows the PureCoder site.

Pure Coder, Pure Clipper
Figure 10 – PureCoder Site

On execution, it starts processing multiple resources present in the second payload DLL file. One of these resources, named “6XSFUHcqsXNKPHEYxE.ZiCerlvdDMR9CjDAIv‎”, highlighted in Figure below, contains the Pure Clipper data file. The figure below shows the data file.

Pure Clipper
Figure 11 – Pure Clipper Data File

This data file consists of the following, which is essential for Clipper operations:

  • Regular Expressions to detect Crypto Addresses
  • Base64 encoded TA’s crypto addresses
  • Base64 encoded Discord webhook URL
  • PowerShell script
Pure Clipper
Figure 12 – Pure Clipper Data File

The Pure Clipper is designed to target more than 10 cryptocurrencies and employs the following regular expressions. These patterns are used to identify cryptocurrency addresses in the clipboard. When a match is found, it replaces the address with the attacker’s cryptocurrency address to facilitate theft.

\b((bitcoincash|bchreg|bchtest):)?(q|p)[a-z0-9]{41}\bbBitcoin Cash

In the data file, we identified two cryptocurrency addresses, one for Bitcoin and one for Ethereum, which may be associated with TA. Upon closer examination, we noticed that these addresses had received numerous recent cryptocurrency deposits, indicating that they might have been transferred from victims. This suggests that the TAs might have successfully received cryptocurrency payments from multiple victims. The figure below shows the TA’s BitCoin transaction history.

Bitcoin, crypto
Figure 13 – TA’s Bitcoin Transaction History

The figure below shows the TA’s Ethereum transaction history.

Figure 14 – TA’s Ethereum Transaction History


The Pure Crypter and loader employ a specific technique for stealth and persistence. It starts by creating a Registry Key at HKEY_CURRENT_USER\SOFTWARE\dabbj. Within this Registry Key, it stores the bytes of the ScHoster.exe file in reverse order in the Registry Value “ehac“. This technique is commonly referred to as “Fileless malware.” The figure below shows the Registry Key created by the loader.

Figure 15 – Add Binary Data to the Registry Key

After storing the payload in the Registry, the “Crypter malware proceeds to establish a Task Scheduler entry named “ehac.” This task is designed to execute the following command after a delay of one minute, and it will continue to run indefinitely until the user logs out of the system:

  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc {base64encoded PowerShell script}

This command runs a Base64 encoded PowerShell script, which retrieves the binary data added to the registry in the above step. It employs several options to hide the PowerShell window, bypass execution policies, and maintain a hidden profile. By creating a Task Scheduler entry that repeatedly executes this command with a one-minute delay, the clipper malware ensures continuous operation in the background.

The figure below shows the task scheduler entry.

Task Scheduler
Figure 16 – Task Scheduler Entry

The base64 encoded PowerShell script used in the task scheduler entry actually retrieves the ScHoster.exe binary from the Registry, reverses it to its original order, loads it as an assembly, and then executes it. The figure below shows the decoded PowerShell script.

Figure 17 – PowerShell Script


The clipper payload interacts with TA’s Command and Control (C&C) system only when a victim performs a copy/paste operation involving cryptocurrency addresses. When a user copies or pastes a cryptocurrency address, the payload replaces it with TA’s address and captures a screenshot of the user’s screen. Subsequently, it exfiltrates both the victim’s and TA’s cryptocurrency addresses, along with the screenshot, using TA’s Discord webhook. The figure below illustrates the exfiltrated data.

Data Exfiltration
Figure 18 – Data Exfiltration


The presence of Pure Clipper signals an ongoing and dynamic landscape of digital threats. With a recurrent focus on Italian-speaking users and a consistent pattern of using potent malware tools – including PureLogs and the Pure Clipper – to facilitate cybercriminal activities, we suspect that these activities might be linked to Alibaba2044.

The potential consequences of this campaign are far-reaching, posing a significant threat to cryptocurrency enthusiasts and organizations. The TA’s activities underscore a clear financial motivation, revealing a persistent quest for monetary gain through cybercrime.

Our Recommendations

  • To prevent the malware from persisting on the system, implement a rule that prohibits the creation of a specific registry key, identified as “dabbj,” within the HKCU\Software (HKEY_CURRENT_USER) hive.
  • Implement application whitelisting to restrict the execution of non-authorized applications, including any attempts to change Registry entries.
  • Regularly review Task Scheduler entries for any unusual or unauthorized tasks, especially those with suspicious names like “ehac.”

MITRE ATT&CK® Techniques 

Tactic  Technique  Procedure 
Initial Access (TA0001) Phishing (T1566This malware reaches users via phishing sites. 
Execution  (TA0002)User Execution (T1204)The user needs to manually execute the file downloaded from the phishing site.
Execution   (TA0002) Command and Scripting  
Interpreter: PowerShell  
Uses PowerShell Script to load the Clipper binary from Registry.
Persistence (TA0003) Scheduled Task/Job
Creates a Task Scheduler entry. 
Defense Evasion (TA0005) Masquerading (T1036.008Downloads file disguised as a legitimate application.

Defense Evasion (TA0005) Modify Registry (T1112Uses reg.exe to modify the Windows registry. 
Defense Evasion (TA0005) Deobfuscate/Decode Files or Information (T1112Files are obfuscated using a Pure crypter. 
Defense Evasion (TA0005) Obfuscated Files or Information: Fileless Storage (T1027.011The loader binary is stored in the registry. 
Collection (TA0009) Clipboard Data (T1115)Monitors clipboard data and replaces crypto address with their address.
Collection (TA0009) Screen Capture (T1113)Takes a screenshot of the victim’s screen and Exfiltrates it.
Exfiltration(TA0010) Exfiltration Over Web Service
Uses discord webhook to exfiltrate data. 

Indicators of Compromise (IOCs) 

Indicators  Indicator 
88ba199aeb9b93ae28b4781edf7904c946763103 fbfa233f980042bb92c121e38d9307ef9d48e842fa7c9bda09d9f89479df7771
SHA1 SHA256 
392ccfa22f19f6e466a973ac654e450a62391572 cfa592b0128bc126fbf3fb66c551a8d87223b196f5e0cd87e60b88bdc688c6e0
SHA1 SHA256 
xhxxps[:]//torprojectdownloadfree.siteURL Phishing Site

Scroll to Top