Ransomware and infostealers dominate cybersecurity headlines, a lesser-known menace lurks in the shadows: cryptojacking malware. CyberArk’s recent discovery of **MassJacker**

Continue reading
While ransomware and infostealers dominate cybersecurity headlines, a stealthier threat—cryptojacking malware—has quietly siphoned millions from unsuspecting victims. In a groundbreaking investigation, CyberArk Labs uncovered MassJacker, a sophisticated cryptojacking operation linked to over 750,000 unique cryptocurrency wallets and a single Solana wallet valued at $300,000. This deep dive reveals how cybercriminals exploit pirated software portals like pesktop[.]com to hijack crypto transactions, evade detection, and amass digital fortunes.
The MassJacker campaign begins on pesktop[.]com, a rogue site masquerading as a hub for pirated software. Users downloading "cracked" tools unwittingly execute a multi-stage attack:
The infection chain’s complexity—spanning PowerShell, .NET obfuscation, and process hollowing—underscores evolving malware tactics to bypass endpoint detection.

*Infection Chain (CyberArk)*
1. JIT Hooking & Metadata Token Swapping MassJacker’s PackerD1 employs JIT (Just-In-Time) Compiler Hooking, dynamically altering function calls during runtime to thwart static analysis. Researchers observed functions like `StopMapper` being rewritten mid-execution (Figure 2), a technique previously linked to MassLogger, a malware-as-a-service (MaaS) tool. Metadata token mapping further obfuscates control flow, redirecting fields to malicious functions (e.g., `ObserverProducer`).
2. Custom Virtual Machine & String Obfuscation The third resource in PackerD1 deploys a custom VM executing two scripts. The first manipulates stack values to alter program behavior, while the second decrypts PackerD1’s fourth resource—a string repository obfuscated with non-readable delimiters (Figure 8). These strings reveal the fifth resource, PackerD2, which loads the final payload.
3. Process Injection & Anti-Debugging PackerD2 deserializes a configuration object (`_Bridge`) to disable security tools like AMSI and ETW. The payload, MassJacker, is injected into `InstalUtil.exe` and deploys infinite debugger-checking loops to resist analysis.
MassJacker’s core functionality hinges on clipboard hijacking:
CyberArk’s analysis uncovered 778,531 unique wallets, but only 423 held funds. Key findings include:
MassJacker’s discovery illuminates the dark underbelly of cryptojacking—a threat amplified by pirated software traps and evolving anti-analysis tech. For users, vigilance against unofficial downloads is critical. For researchers, decrypting malware like MassJacker offers treasure troves of threat intel, potentially unmasking criminal empires.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.