New Linux Malware ClipXDaemon Hijacks Crypto Wallet Addresses in X11 Sessions A recently discovered Linux malware, ClipXDaemon, is targeting cryptocurrency users by silently replacing copied wallet addresses with attacker-controlled ones during transactions. Identified by Cyble Research and Intelligence Labs in early February 2026 and detailed on March 5, 2026, the malware exploits the common practice of copy-pasting wallet addresses, redirecting funds to threat actors without the victim’s knowledge. Unlike traditional malware, ClipXDaemon operates independently, eliminating the need for a command-and-control (C2) server. This makes it harder to detect, as it avoids network-based indicators of compromise. The malware is delivered via a loader using Bincrypter, an open-source shell-script encryption tool available on GitHub. While this technique was previously seen in ShadowHS campaigns, researchers found no direct link between the two threats only shared use of the same public tool. ClipXDaemon focuses solely on clipboard hijacking within X11 sessions, a widely used Linux windowing system. It monitors clipboard activity and replaces cryptocurrency wallet addresses in real time. Since many users rely on copy-paste for transactions, a single unnoticed alteration can result in funds being sent to the attacker instead of the intended recipient. The malware’s stealthy, self-contained design poses challenges for defenders, as traditional detection methods often rely on identifying suspicious outbound traffic or C2 communications. Its evolution reflects a broader trend in Linux malware toward targeted, profit-driven attacks that minimize detectable activity. Security recommendations include transitioning from X11 to Wayland (which ClipXDaemon avoids), monitoring for unusual clipboard polling, and verifying wallet addresses manually before transactions. The threat underscores the persistent risk of clipboard hijacking in cryptocurrency operations, even on less commonly targeted Linux systems.

New Android Banking Malware "deVixor" Combines Ransomware with Credential Theft Cyble researchers have uncovered deVixor, a sophisticated Android remote access trojan (RAT) targeting Iranian banking users with a blend of credential theft, surveillance, and ransomware capabilities. First detected in October 2023, the malware spreads via phishing websites impersonating automotive businesses, luring victims into downloading malicious APK files. Originally focused on SMS harvesting, deVixor has rapidly evolved into a full-featured criminal platform. It now supports nearly 50 commands, including banking fraud, keylogging, ransomware deployment, and device surveillance. The malware leverages Firebase for command delivery and a Telegram-based bot infrastructure for scalable control, allowing attackers to evade detection while managing infections at scale. Key features include: - Credential theft: Harvests OTPs, banking credentials (via WebView-based JavaScript injection), and cryptocurrency exchange data. - Surveillance: Captures keystrokes, screenshots, contacts, and device notifications while blocking uninstallation. - Ransomware: Locks devices and demands TRON cryptocurrency payments, storing attack parameters in LockTouch.json to persist across reboots. Cyble’s analysis of over 700 samples confirms deVixor is an actively maintained criminal service, with its Telegram channel suggesting broader future targeting. The malware’s modular design and persistent updates highlight the growing sophistication of Android banking threats, blending traditional fraud with disruptive ransomware tactics.

The Criminal Investigation Department (CID) and the Cyber Crime Police are searching for the hacker who gained access to private information belonging to the e-commerce firm Cyble and posted advertisements for the sale of the data on the dark web. According to reports, the hacker sought payment from the business owner in order to remove the list. The issue was discovered after Praveen B.S., the business's owner, discovered that his client list had been taken. The data included details of all the customers who bought groceries and other products from his company’s online website, said a police officer.