The long road to your crypto: ClipBanker and its marathon infection chain

This report describes a multi-stage malware campaign that distributes a trojanized Proxifier installer from GitHub and other pastebin-style hosts; the payload uses Defender exclusions, fileless PowerShell, process injection, and scheduled tasks to ultimately deploy a ClipBanker-style clipboard stealer that replaces cryptocurrency addresses to divert funds. The analysis includes the full execution chain, decoded scripts, replacement addresses, IOCs (URLs and hashes), and notes that more than 2,000 Kaspersky detections occurred since early 2025, mainly in India and Vietnam.