An unknown threat actor has been observed leveraging paid or promoted posts on legitimate news websites to generate buzz for their malicious software, according to new findings from **Check Point Research**. The actor operates a dedicated **WordPress** phishing page as a central hub, alongside **GitHub** and **SourceForge** projects promoted by fake accounts, a **YouTube** channel, and a cluster of accounts engaged in coordinated activity on **VirusTotal**. Their intent is to misclassify malicious files as safe. "To push a malicious 'tool,' a single threat actor borrowed the same playbook legitimate brands use to build buzz: inflated download counts, coordinated five-star reviews, influencer-style tutorial videos, and promotion on platforms people instinctively trust," Check Point stated in a report. "The result is a fake reputation economy spanning every platform a curious victim might check before they click 'download.'" ### The Cryptocurrency Clipboard Hijacker The ultimate goal of the campaign is to distribute a cryptocurrency clipboard hijacker. This malware is concealed within **Solana** and **Pump.fun** sniper bots and crash-game predictors, indicating that cryptocurrency asset holders and online gamblers seeking shortcuts are the primary targets. The Rust-based clipper, targeting both **Windows** and **macOS** systems, continuously monitors the clipboard for content matching a cryptocurrency wallet address pattern. Upon detection, the malware replaces the legitimate address with an attacker-controlled address from a hard-coded list, effectively diverting digital assets. ### The 'Ghost Network' Strategy A notable aspect of this activity is the use of 'Ghost Networks' to manipulate reputation-driven systems like VirusTotal. This aims to reduce suspicion and build victim trust in the malicious files through a combination of upvotes and highly positive comments.  This behavior extends to GitHub, where the threat actor manages at least six accounts to cross-promote and distribute their malware. These synthetically boosted signals are designed to create a false sense of security. One such repository boasts 146 stars and 62 forks. On SourceForge, download counters reached 44,485, with a suspicious 37,460 supposedly originating from Android devices, despite only Windows and macOS versions being offered. Check Point suggests this discrepancy points to the use of an Android farm to artificially inflate download counts. ### AI-Generated Promotion and Press Releases The malicious software is further promoted through a dedicated YouTube channel with over 91,000 subscribers, created in July 2020. The channel, claiming to be "strictly for educational purposes only," features tutorial-style videos with AI-generated narrators and positive comments to reinforce the illusion of popularity and trustworthiness.  Perhaps the most unusual aspect of the campaign is the threat actor's use of a press release distribution service like **EIN Presswire** to market their tool's purported capabilities. This press release has since been syndicated across the service's partner news websites, primarily within the **USA TODAY Network**. "Manipulating sentiment and reputation across crowd-sourced platforms marks a meaningful shift in how attackers build trust," Check Point concluded. "The same playbook of fake reputation and aggressive cross-platform promotion can easily distribute information stealers or ransomware to higher-value targets over time."