{"id":2384,"date":"2026-04-09T10:04:09","date_gmt":"2026-04-09T10:04:09","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/the-long-road-to-your-crypto-clipbanker-and-its-marathon-infection-chain\/"},"modified":"2026-04-09T10:04:09","modified_gmt":"2026-04-09T10:04:09","slug":"the-long-road-to-your-crypto-clipbanker-and-its-marathon-infection-chain","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/09\/the-long-road-to-your-crypto-clipbanker-and-its-marathon-infection-chain\/","title":{"rendered":"The long road to your crypto: ClipBanker and its marathon infection chain"},"content":{"rendered":"
\n

\"\"<\/p>\n

At the start of the year, a certain Trojan caught our eye due to its incredibly long infection chain. In most cases, it kicks off with a web search for \u201cProxifier\u201d. Proxifiers are speciaized software designed to tunnel traffic for programs that do not natively support proxy servers. They are a go-to for making sure these apps are functional within secured development environments.<\/p>\n

By coincidence, Proxifier is also a name for a proprietary proxifier developed by VentoByte, which is distributed under a paid license.<\/p>\n

If you search for Proxifier (or a proxifier), one of the top results in popular search engines is a link to a GitHub repository. That\u2019s exactly where the source of the primary infection lives.<\/p>\n

\"\"<\/a><\/p>\n

The GitHub project itself contains the source code for a rudimentary proxy service. However, if you head over to the Releases section, you\u2019ll find an archive containing an executable file and a text document. That executable is actually a malicious wrapper bundled around the legitimate Proxifier installer, while the text file helpfully offers activation keys for the software.<\/p>\n

\"\"<\/a><\/p>\n

Once launched, the Trojan\u2019s first order of business is to add an exception to Microsoft Defender for all files with a TMP extension, as well as for the directory where the executable is sitting. The way the Trojan pulls this off is actually pretty exotic.<\/p>\n

First, it creates a tiny stub file \u2013 only about 1.5 KB in size \u2013 in the temp directory under the name \u201cProxifier<???>.tmp\u201d and runs it. This stub doesn\u2019t actually do anything on its own; it serves as a donor process. Later, a .NET application named \u201capi_updater.exe\u201d is injected into it to handle the Microsoft Defender exclusions. To get this done, api_updater.exe decrypts and runs a PowerShell script using the PSObject class. PSObject lets the script run directly inside the current process without popping up a command console or launching the interpreter.<\/p>\n

\"\"<\/a><\/p>\n

As soon as the required exclusions are set, the trojanized proxifier.exe extracts and launches the real Proxifier installer. Meanwhile, it quietly continues the infection in the background: it creates another donor process and injects a module named proxifierupdater.exe. This module acts as yet another injector. It launches the system utility conhost.exe and injects it with another .NET app, internally named \u201cbin.exe\u201d, which runs a PowerShell script using the same method as before.<\/p>\n

\"\"<\/a><\/p>\n

The script is obfuscated and parts of it are encoded, but it really only performs four specific actions:<\/p>\n