Cyble has identified a new Linux threat named ClipXDaemon that targets cryptocurrency users by intercepting and manipulating copied wallet addresses.

Cyble's publication is a resource for cybersecurity professionals and businesses seeking to stay ahead of evolving cyber threats. Through detailed analysis of threat intelligence, cybersecurity trends, and real-world cyber incidents, Cyble provides  insights into emerging threats, cyber attack tactics, and risk mitigation strategies. Readers can learn about threat detection methodologies, vulnerability assessment techniques, incident response protocols, and compliance standards to enhance their cybersecurity posture. Additionally, Cyble offers expert commentary, best practices, and actionable recommendations to help organizations protect their digital assets, safeguard sensitive data, and maintain business continuity in the face of cyber threats.

Cyble

Cyble Research & Intelligence Labs has identified ClipXDaemon, a new Linux malware targeting cryptocurrency users on X11 desktop environments. Delivered via a bincrypter-based three-stage loader (encrypted loader → in-memory dropper → on-disk ELF), the payload is a fully autonomous clipboard hijacker with no C2 infrastructure. It daemonizes itself using double-fork, masquerades as a kernel worker thread (kworker/0:2-events), and polls the X11 clipboard every 200ms. When a cryptocurrency wallet address is detected via ChaCha20-encrypted regex patterns, it replaces it with attacker-controlled addresses for Bitcoin, Ethereum, Monero, Litecoin, Dogecoin, Tron, and others. Persistence is achieved via ~/.profile modification. The malware explicitly avoids Wayland sessions and operates entirely offline, making network-based detection ineffective. Defenders are advised to migrate to Wayland, monitor userland persistence mechanisms, detect process masquerading, and instrument X11 API abuse.

ClipXDaemon: Autonomous X11 Clipboard Hijacker Delivered via Bincrypter-Based Loader