ClipXDaemon: New Linux Malware Targeting Cryptocurrency Users on X11

malware

A new Linux malware named ClipXDaemon has emerged as a direct financial threat to cryptocurrency users operating on X11-based desktop environments. Unlike typical malware that relies on remote command-and-control (C2) servers, ClipXDaemon operates entirely autonomously, silently monitoring clipboard activity and replacing legitimate wallet addresses with those controlled by attackers.

This development highlights the evolving threat landscape for Linux desktop users, who are increasingly targeted for cryptocurrency theft.

How ClipXDaemon Works

ClipXDaemon is unique because it does not require any external infrastructure to operate. Once deployed:

  • It monitors the clipboard every 200 milliseconds.

  • Any copied cryptocurrency wallet address is replaced with an attacker-controlled address.

  • The malware runs entirely on the victim’s system with no network traffic, no remote commands, and no C2 dependency.

This approach makes detection extremely difficult, as traditional network-based monitoring or antivirus scans are unlikely to flag the activity.

Connection to ShadowHS

The malware surfaced in February 2026 via a loader structure previously linked to ShadowHS, a Linux threat from January 2026 that targeted server environments with post-exploitation tools.

Both campaigns share a staging wrapper built using bincrypter, an open-source shell-script encryption framework. However, their payloads are operationally distinct:

  • ShadowHS: Focused on server environments.

  • ClipXDaemon: Targets Linux desktop users, specifically those handling cryptocurrency.

This shared obfuscation tool demonstrates a growing trend of attackers reusing open-source utilities to reduce development costs and complicate attribution, rather than suggesting common authorship.

Targeted Cryptocurrencies and Encryption

Cyble analysts noted that ClipXDaemon is designed to monitor eight cryptocurrency formats:

  • Bitcoin (BTC)

  • Ethereum (ETH)

  • Litecoin (LTC)

  • Monero (XMR)

  • Tron (TRX)

  • Dogecoin (DOGE)

  • Ripple (XRP)

  • TON

Wallet patterns and replacement addresses are encrypted inside the binary using ChaCha20 stream encryption, which shields them from static analysis.

During dynamic analysis:

  • Replacement wallets were confirmed for six assets.

  • TON and Ripple were monitored but no replacement addresses were observed.

At the time of discovery, the ELF payload remained undetected on VirusTotal, underscoring its stealth capabilities.

Why ClipXDaemon is Dangerous

  1. Autonomous Operation: No C2 infrastructure makes it invisible to conventional detection methods.

  2. Clipboard Hijacking: Targets users at the point of cryptocurrency transactions, where copying and pasting addresses is common.

  3. Multi-Asset Targeting: Affects major cryptocurrencies including Bitcoin, Ethereum, and Monero.

  4. Encrypted Payload: ChaCha20 encryption prevents static analysis and easy reverse-engineering.

For Linux desktop users who regularly handle cryptocurrencies, this malware represents a significant financial risk.

ClipXDaemon signals a new era of autonomous Linux malware targeting cryptocurrency users. By hijacking wallet addresses without any network footprint, it can evade traditional defenses and siphon funds quietly.

To stay safe:

  • Always double-check wallet addresses before sending funds.

  • Consider using hardware wallets for added security.

  • Keep Linux systems up-to-date and monitor clipboard-related activity for suspicious behavior.

Cyble analysts’ discovery serves as a warning: even Linux desktops are not immune to advanced financial malware targeting cryptocurrency users.

Click below and ‘share’ this article!