Threat Overview
On January 15, 2026, AlienVault released a comprehensive threat report titled HUMINT Operations Uncover Cryptojacking Campaign: Discord-Based Distribution of Clipboard Hijacking Malware Targeting Cryptocurrency Communities. The report details a sophisticated operation carried out by the threat actor group known as RedLineCyber. The actors distribute a malicious executable named Pro.exe, a Python‑based clipboard hijacking trojan that silently replaces cryptocurrency wallet addresses copied to the Windows clipboard with attacker‑controlled addresses. The malware has been actively used to steal funds from multiple cryptocurrency streamers, casino gaming communities, and users who frequently handle digital asset transactions during live broadcasts on Discord.
Actor Profile
RedLineCyber is a well‑organised threat group that leverages social engineering and platform trust to spread malware. The group targets communities that are highly active on Discord, especially those focused on gaming, gambling, and cryptocurrency streaming. By embedding malicious links or files within trusted channels, the actors exploit the social bonds that exist within these groups.
Distribution Vector
The primary distribution method is Discord. RedLineCyber posts malicious attachments or links in public and private servers. Once a user downloads and runs Pro.exe, the executable installs silently in the background and begins monitoring the Windows clipboard for patterns that match cryptocurrency wallet addresses. When a match is detected, the malware replaces the address with an address controlled by the attackers.
Technical Characteristics
- Obfuscation: The Python bytecode is heavily obfuscated, making static analysis challenging.
- Base64‑encoded Regular Expressions: Wallet detection logic is stored in base64 strings, further complicating detection.
- Low System Footprint: The trojan runs as a background process with minimal system resource usage, reducing the likelihood of detection by casual users.
Impact Assessment
RedLineCyber’s campaign has successfully compromised multiple victims across six major cryptocurrencies, including Bitcoin, Ethereum, Litecoin, Ripple, Dogecoin, and Binance Coin. The stolen funds are typically transferred to addresses that are later moved to mixing services or exchanged for fiat currency. Victims are often unaware of the theft until they notice a discrepancy in their transaction history or receive an alert from their wallet provider.
Indicators of Compromise (IOCs)
- Execution of Pro.exe from unfamiliar or suspicious Discord channels.
- Presence of a background process named pro.exe or similar.
- Unexpected network connections to IP addresses or domains associated with known cryptocurrency mixers.
- Altered clipboard content when copying wallet addresses.
Detection Strategies
Endpoint detection and response (EDR) solutions should be configured to flag the execution of unknown Python scripts and monitor for clipboard manipulation. Network monitoring tools can be tuned to detect outbound traffic to known mixing services or cryptocurrency exchanges. Additionally, user education on the risks of downloading files from Discord and the importance of verifying file sources can significantly reduce exposure.
Mitigation Recommendations
- Discord Server Moderation: Implement strict file upload policies, use automated scanning for attachments, and enforce two‑factor authentication for all moderators.
- Endpoint Hardening: Disable clipboard monitoring features for non‑trusted applications, enforce application whitelisting, and deploy EDR solutions with advanced behavioral analytics.
- Patch Management: Keep Windows and all installed software up to date to mitigate exploitation of known vulnerabilities that could be used to bypass security controls.
- User Awareness Training: Conduct regular phishing and social engineering awareness sessions, emphasizing the risks of downloading executables from Discord.
- Incident Response Planning: Develop a clear playbook for responding to suspected clipboard hijacking incidents, including steps for isolating affected machines, preserving evidence, and notifying relevant stakeholders.
Conclusion
The RedLineCyber campaign demonstrates how threat actors can exploit trusted community platforms to deliver stealthy, high‑impact malware. By combining social engineering with sophisticated obfuscation techniques, the actors have managed to steal significant amounts of cryptocurrency from unsuspecting users. Security analysts should remain vigilant for the indicators of compromise outlined above and implement the recommended mitigation measures to protect their organizations and users from this evolving threat.

