Security Affairs
JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Lithuanian suspect arrested over KMSAuto malware that infected 2.8M systems

A Lithuanian national was arrested for allegedly spreading KMSAuto malware that stole clipboard data and infected 2.8 million Windows and Office systems. A Lithuanian man (29) was arrested for allegedly spreading KMSAuto-based clipboard-stealing malware that infected about 2.8 million Windows and Office systems. The man was extradited from Georgia to South Korea under Interpol coordination. […]

KMSAuto malware

A Lithuanian national was arrested for allegedly spreading KMSAuto malware that stole clipboard data and infected 2.8 million Windows and Office systems.

A Lithuanian man (29) was arrested for allegedly spreading KMSAuto-based clipboard-stealing malware that infected about 2.8 million Windows and Office systems.

The man was extradited from Georgia to South Korea under Interpol coordination. Authorities say he trojanized the KMSAuto piracy tool to distribute clipper malware that monitored victims’ clipboards for cryptocurrency addresses and replaced them with attacker-controlled wallets, redirecting crypto transactions without users’ knowledge.

According to the Korean National Police Agency, the suspect used KMSAuto to lure victims into downloading a malicious executable that scanned the clipboard for cryptocurrency addresses and replaced them with ones controlled by the attacker – known as ‘clipper malware’.

According to the Korean National Police Agency, the suspect added malware to the KMSAuto tool that checked clipboard contents for cryptocurrency addresses and changed the destination address to one controlled by the attacker. This type of threat is called clipper malware.

From 2020 to 2023, malware disguised as the illegal Windows activator KMSAuto was downloaded about 2.8 million times worldwide. The clipper malware replaced crypto wallet addresses during transactions, enabling theft via 8,400 transfers from 3,100 wallets, totaling about ₩1.7 billion. Eight South Korean victims lost ₩16 million, with infections traced to pirated software.

“Between April 2020 and January 2023, the suspect distributed malware disguised as an illegal Windows activation tool known as KMSAuto. The malicious software was downloaded approximately 2.8 million times worldwide, including in South Korea.” reads the press realese issued by the Korean police. “Investigators identified 3,100 compromised cryptocurrency wallet addresses, which were used in 8,400 transactions to steal virtual assets worth approximately 1.7 billion won. Eight South Korean victims were confirmed, suffering combined losses of about 16 million won.”

KMSAuto malware

In August 2020, police launched an investigation after a victim lost 1 Bitcoin, worth about 12 million won, when malware automatically replaced the intended wallet address with one controlled by a hacker during a transaction. The infection came from KMSAuto, an illegal Windows activation tool downloaded online. Investigators uncovered a large-scale international operation targeting exchanges and companies across six countries, traced illicit crypto flows, and identified a Lithuanian suspect. With the help of international partners, police seized the suspect’s devices, issued an Interpol red notice, and arrested the suspect in Georgia.

“Various damages caused by malicious programs To prevent this, you should be careful with programs from unknown sources..”saying,“In the future too Police are working with law enforcement agencies around the world to combat borderless cybercrime. We plan to respond strictly, including repatriation.”. Park Woo-hyun, cyber investigation director at the National Police Agency, said.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)