A malware campaign called CryptoClippy has been discovered by Unit 42, which aims to steal cryptocurrency from legitimate users’ wallets by replacing their actual wallet address with a threat actor’s. The malware, known as a cryptocurrency clipper, monitors the victim’s clipboard for signs of cryptocurrency wallet addresses being copied. To deliver the malware, threat actors used Google Ads and traffic distribution systems to redirect victims to malicious domains impersonating the legitimate WhatsApp Web application. The campaign targets Portuguese speakers, and victims have been found across the manufacturing, IT services, and real estate industries. Palo Alto Networks customers are protected against this campaign through Cortex XDR.