Crypto Stealing Malware Clipsa Targeted Computers in the Philippines

Share some Bitpinas love:

August 7, 2019 – Cybersecurity firm Avast released details on how Clipsa, a crypto stealing malware worked its way across computers around the world, particularly in India and the Philippines.


Disguised as a codec installer for media players, Clipsa is written in Visual Basic and primarily a password stealer. It can steal admin credentials on WordPress sites and replace crypto addresses in the clipboard, not to mention mine cryptocurrency on infected computers.

Clipsa performs several actions, including searching for cryptowallet addresses in the clipboard and then replaced it with the wallet addresses by the bad actors who created it.

Avast also noted how it infects vulnerable WordPress websites:

Once it finds a vulnerable site, it attempts to brute-force its way into the site, sending the valid login credentials to Clipsa’s C&C servers. While we cannot say for sure, we believe the bad actors behind Clipsa steal further data from the breached sites.


According to Avast, Clipsa’s campaign is most prevalent in India where Avast blocked more than 43,000 infection attempts.

In the Philippines, Avas said it protected “more than 15,000 users” from Clipsa. In Brazil, it blocked 13,000 attempts.


Avast found out that when Clipsa is installed, it comes with more than 9,000 addresses that can hold stolen funds. From its findings, the bad actors are successful in stealing over 3 bitcoin, which is Php 1.8 million in today’s exchange rates.

Last year, BitPinas reported the rise of cryptojacking and crypto mining malware globally, particularly in the Philippines. According to Kaspersky Lab, the Philippines is the 9th most attacked country globally and most of these attacks are related to cryptomining. Data sent by Kaspersky Lab revealed 10.6 million web malware infections in the Philippines for the 2nd quarter of 2018. This is twice the number from the 1st quarter (5.6 million) and a massive increase from the same quarter last year.

In another report, the League of Legends PH Client was infected by Coinhive, a javascript, which, when left alone will mine the cryptocurrency Monero (Coinhive has since shut down). According to Garena, which handles the League of Legends client, there was an unauthorized modification of the League of Legends PH client lobby where a certain javascript code was inserted. This code performs blockchain mining on affected computers, which consumes CPU resources from these computers. Garena engineers removed it promptly.

This article is first published on BitPinas: Crypto Stealing Malware Clipsa Targeted Computers in the Philippines

Photo by Markus Spiske on Unsplash

Share some Bitpinas love:

What do you think of this article?

Let us know in the comments below.

Notify of
Newest Most Voted
Inline Feedbacks
View all comments

… [Trackback]

[…] Find More here on that Topic: […]

… [Trackback]

[…] Find More on to that Topic: […]


… [Trackback]

[…] Read More to that Topic: […]

… [Trackback]

[…] There you can find 90561 additional Information to that Topic: […]

Michael Mislos

A business ad graduate from the Pamantasan ng Lungsod ng Maynila, Mike is the website manager of He is responsible for almost every content you see on the site, from topic/news selection to editing of articles. Mike believes correct information about blockchain and cryptocurrency can empower people to make accurate decisions about the industry, which, in turn, should deter bad actors from taking advantage of crypto & blockchain. [Telegram @mikemislos]