Cyble Research & Intelligence Labs has identified ClipXDaemon, a new Linux malware targeting cryptocurrency users on X11 desktop environments. Delivered via a bincrypter-based three-stage loader (encrypted loader → in-memory dropper → on-disk ELF), the payload is a fully autonomous clipboard hijacker with no C2 infrastructure. It daemonizes itself using double-fork, masquerades as a kernel worker thread (kworker/0:2-events), and polls the X11 clipboard every 200ms. When a cryptocurrency wallet address is detected via ChaCha20-encrypted regex patterns, it replaces it with attacker-controlled addresses for Bitcoin, Ethereum, Monero, Litecoin, Dogecoin, Tron, and others. Persistence is achieved via ~/.profile modification. The malware explicitly avoids Wayland sessions and operates entirely offline, making network-based detection ineffective. Defenders are advised to migrate to Wayland, monitor userland persistence mechanisms, detect process masquerading, and instrument X11 API abuse.
Table of contents
Executive SummaryKey TakeawaysBackground & Threat LandscapeTechnical AnalysisConclusionMITRE ATT&CK® TechniquesIndicators of Compromise (IOCs)Sort: