Cybersecurity researchers have uncovered a new malware campaign that disguises itself within Microsoft Office extension packages to steal cryptocurrency by silently replacing wallet addresses.
The attack involves malicious Office add-ins that, once installed, operate in the background by monitoring clipboard activity. When a user copies a crypto wallet address—for example, during a transaction—the malware instantly replaces it with a wallet address controlled by the attacker, rerouting funds without the user’s knowledge.
This tactic, known as clipboard hijacking, is not new, but its delivery method through Office extensions represents a concerning evolution. Users typically trust Office add-ins for productivity enhancements, making them an ideal vector for stealthy infections.
Researchers warn that the malware is difficult to detect due to its low-profile behavior and integration with legitimate software workflows. It doesn’t trigger conventional security alarms and can persist undetected for long periods, increasing the risk of financial loss.
Security experts are urging crypto users to double-check wallet addresses before confirming transactions and avoid downloading unofficial Office add-ins. Meanwhile, businesses and institutions are advised to strengthen endpoint security and restrict unauthorized plugin installations to mitigate exposure.
