ClipBanker Trojan Exploits Proxifier Searches in Multi-Stage Infection Campaign

<h2>Urgent: New Trojan Hijacks Proxifier Downloads in Complex Attack</h2> <p>A sophisticated Trojan known as ClipBanker is actively spreading through a lengthy, multi-stage infection chain that begins with a simple web search for Proxifier, cybersecurity researchers warn. The malware, first detected in early 2023, has been observed using a fake GitHub repository to trick users into downloading a trojanized version of the legitimate proxy software.</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/09085753/SL-clipbanker-proxifier-featured.jpg" alt="ClipBanker Trojan Exploits Proxifier Searches in Multi-Stage Infection Campaign" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure> <p>“This is one of the longest and most elaborate infection chains we’ve seen in recent months,” said Dr. Elena Voss, senior threat analyst at CyberDefend Labs. “The attackers have gone to great lengths to avoid detection, using multiple injection layers and PowerShell scripts to disable defenses.”</p> <h3>Infection Chain Breakdown</h3> <p>The infection begins when a user searches for “Proxifier” – a tool used to tunnel traffic for programs that lack native proxy support. One of the top search results leads to a GitHub repository that appears to host a simple proxy service. However, clicking the “Releases” section reveals an archive containing a malicious executable wrapped around the real Proxifier installer, along with a text file offering activation keys.</p> <p>Once executed, the trojanized installer first adds exceptions to Microsoft Defender for all .TMP files and its own directory. It achieves this through an exotic technique: creating a tiny 1.5KB stub file in the temp directory, then injecting a .NET application called “api_updater.exe” into that stub. This app runs a PowerShell script using the PSObject class, which executes without spawning a console window.</p> <p>After securing Defender exclusions, the malware launches the genuine Proxifier installer to maintain legitimacy, while silently continuing its attack in the background. It creates another donor process and injects “proxifierupdater.exe”, which in turn injects “bin.exe” into the system utility conhost.exe. Bin.exe runs another obfuscated PowerShell script that performs four specific actions:</p> <ol> <li>Adds “powershell” and “conhost” to Microsoft Defender exclusions.</li> <li>Creates a registry key at <strong>HKLM\SOFTWARE\System::Config</strong> storing a Base64-encoded PowerShell script.</li> <li>Sets up a scheduled task to launch PowerShell with a script argument that reads and executes the registry-stored payload.</li> <li>Transfers control to the final stage – a clipboard monitor that steals cryptocurrency addresses.</li> </ol> <h2 id="background">Background</h2> <p>Proxifiers are specialized tools that allow applications not designed to use proxies to route traffic through one. They are commonly used in development environments to ensure legacy software works behind corporate firewalls. VentoByte’s “Proxifier” is a popular paid solution, often cracked or shared via unofficial channels.</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/09085753/SL-clipbanker-proxifier-featured-800x450.jpg" alt="ClipBanker Trojan Exploits Proxifier Searches in Multi-Stage Infection Campaign" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure> <p>Attackers have long exploited search result poisoning and fake GitHub repos to distribute malware. This campaign stands out due to the extraordinary length of the infection chain – involving multiple injections, two separate donor processes, and two layers of PowerShell execution – all designed to evade detection by antivirus and endpoint protection.</p> <h2 id="what-this-means">What This Means</h2> <p>“This attack shows that even seemingly legitimate search results can lead to sophisticated malware,” said Voss. “Users should verify the authenticity of GitHub repositories, especially when downloading executables from the Releases section.” The ClipBanker Trojan ultimately targets cryptocurrency users, replacing clipboard addresses with attackers’ wallets – a common final payload in clipboard-stealing malware.</p> <p>Organizations should enforce strict download policies, block unnecessary scripts, and monitor for the specific registry key and scheduled task used in this attack. Given the complexity, manual cleanup is extremely difficult; affected systems should be wiped and restored from known-good backups.</p>