Security researchers at Cyble have discovered a new Linux malware called ClipXDaemon, which hijacks cryptocurrency wallet addresses by altering clipboard content on X11-based systems. The malware operates without command-and-control servers, monitoring and replacing addresses in real time to redirect funds to attackers. It uses a multi-stage infection process and employs stealth techniques to evade detection.
ClipXDaemon, identified by Cyble’s Research & Intelligence Labs (CRIL), emerged in early February 2026 and targets desktop Linux environments running the X11 graphical interface. The malware arrives via a three-stage infection chain: an encrypted loader generated by the open-source bincrypter framework, a memory-resident dropper that decrypts using AES-256-CBC and gzip decompression, and an on-disk ELF payload written to ~/.local/bin/ with a random filename of eight to nineteen characters.
For persistence, the dropper appends an execution command to the user’s ~/.profile file, ensuring it runs on login without needing root privileges. Upon activation, ClipXDaemon checks for an X11 session; if Wayland is detected, it terminates immediately due to Wayland’s restrictions on global clipboard access. It then daemonizes via a double-fork process, closes file descriptors, and renames itself to “kworker/0:2-events” using prctl(PR_SET_NAME) to mimic a kernel worker thread, blending into process lists from tools like ps or top.
The core functionality involves polling the clipboard every 200 milliseconds via X11 APIs such as XConvertSelection and XGetWindowProperty. It scans for patterns matching eight cryptocurrencies—Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON—using encrypted regular expressions decrypted with ChaCha20. When a match is found, it replaces the content with attacker-controlled addresses before pasting occurs. Confirmed replacement wallets include those for Ethereum (0x502010513bf2d2B908A3C33DE5B65314831646e7), Bitcoin (bc1qe8g2rgac5rssdf5jxcyytrs769359ltle3ekle), and others for Monero, Dogecoin, Litecoin, and Tron. No replacements were observed for TON and Ripple, though they are monitored.
Notably, ClipXDaemon lacks any network activity, containing no embedded domains or IP addresses, and performs no DNS queries or connections. This C2-less design allows direct monetization without remote infrastructure. The loader shares structural similarities with ShadowHS malware from January 2026, but researchers found no evidence of shared operators, attributing overlaps to the common use of bincrypter.
Experts recommend migrating to Wayland, auditing ~/.profile and ~/.local/bin/, and verifying wallet addresses manually before transactions. The ELF payload evaded detection on VirusTotal at the time of analysis.
