Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
127
Global rank
123 infographic chevron month
Month rank
111 infographic chevron week
Week rank
0
IOCs

Laplas Clipper is a crypto-stealing malware that gains unauthorized access to the victim’s clipboard and replaces their crypto addresses to trick them into sending their funds to the attacker’s wallet. This malicious program is offered for sale as a malware-as-a-service (MaaS) and often distributed with the help of loaders, including SmokeLoader.

Stealer
Type
ex-USSR
Origin
1 October, 2022
First seen
27 June, 2023
Last seen

How to analyze Laplas Clipper with ANY.RUN

Type
ex-USSR
Origin
1 October, 2022
First seen
27 June, 2023
Last seen

IOCs

Last Seen at

Recent blog posts

post image
3 Major Cyber Attacks in January 2025
watchers 1049
comments 0
post image
How ANY.RUN Helps Healthcare Organizations Ag...
watchers 913
comments 0
post image
How to Prevent a Ransomware Attack on a Busin...
watchers 1549
comments 0

What is Laplas Clipper malware?

Laplas Clipper is a family of malware that possesses stealer capabilities. Specifically, it works by replacing victims’ cryptocurrency addresses with those of the attacker using the clipboard. As a result, users unknowingly end up sending their virtual coins and tokens to the wallet set up by the threat actor. First observed in late 2022, Laplas Clipper remains in operation to this day and gets regular updates.

Laplas is sold openly via Telegram channels and Darknet forums as a Malware-as-a-Service (MaaS). Any user interested in this malicious software can purchase a subscription, starting from one week ($49) and up to one year ($839). As part of the offering, operators receive a web panel that lets them control the entire process of replacing victims’ crypto addresses and get notifications about the malware’s activity.

Phishing campaigns are the most common method employed by threats actors for infecting victims’ computers with Laplas Clipper. Criminals often weaponize .pdf and office-suite format files to conduct multi-stage attacks. In many instances, the malware is being dropped by other malicious software, including SmokeLoader, which penetrates security mechanisms of computers and then downloads Laplas.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the Laplas Clipper malicious software

Unlike other stealers, such as FormBook and Arkei, Laplas Clipper has a limited functionality, which focuses exclusively on hijacking victims’ cryptocurrency wallets. The capabilities of the malware include:

  • Generation of crypto addresses: Laplas Clipper can generate Bitcoin addresses for all three types: P2PKH (legacy), P2SH, and SegWit. It can also create addresses for ERC20, BEP20, and other tokens that use the 0x prefix, as well as Tron ones.
  • Choice of prefix or postfix generation: The malware allows users to choose whether to produce addresses with the prefix or postfix. This gives criminals more control over the appearance of illegitimate addresses.
  • Support for over 20 types of wallets: The software can replace addresses in most popular crypto wallets.
  • Web panel: Laplas Clipper can be managed through a web-based interface, letting the operator easily configure and use the clipper.
  • Autobuild functionality: Users of the malware can choose between three versions of the program: C++, Golang, and .NET 4.
  • Automatic balance check: Laplas Clipper can automatically check the balance of victims’ addresses.
  • Support for EXE, DLL extensions: Laplas Clipper can be built for both EXE and DLL extensions.

The malware creates addresses that are almost identical to the original ones. For example, the first three characters after the prefix of the attacker's address will be the same as those of the victim's address. This is often enough for an average user to mistakenly send their cryptocurrency to the wrong address. Apart from generating its own addresses, Laplas Clipper allows operators to use their custom ones.

As for the anti-analysis and anti-detection techniques, some versions of the malware are obfuscated with Babel, a popular obfuscator for .NET, which is capable of renaming symbols and encrypting strings. The malware is also equipped with debugger and virtualization evasion. Read the article “Analyzing a New .NET variant of LaplasClipper: retrieving the config” to learn more about the program’s code and collect its configuration.

Execution process of Laplas Clipper

Let’s load a sample of Laplas Clipper into ANY.RUN, an interactive malware sandbox, to expose its malicious activities and examine its behavior, as well as to gather up-to-date IOCs.

Laplas process tree Laplas Clipper's process tree

The task starts with the execution of a malicious file with the name "scdscxzccsacx_csharp_build_autorun.exe" located in the temporary folder. What's interesting is that this executable creates a scheduled task called "uAGRIUzbtd", which launches another executable named “svcupdater.exe.” This executable is located in the user's roaming folder stored inside the AppData directory (T1053.005). ANY.RUN shows that the "cmd" process was used to execute the "schtasks" process.

After one minute into the VM operation, the scheduled task starts the "svcupdater.exe" file. This indicates that the malware is attempting to establish persistence on the system by scheduling the execution of a file in the user's roaming folder. This behavior is commonly observed in malware that wants to maintain a presence on the system even after a reboot.

After that, the malware performs its main activity and begins to connect to C2 servers and collect information about the system. In this task, we can not only view the malware configuration by clicking the CFG icon next to the process or the MalConf button, but also download a dump of that process by clicking the DMP icon to perform additional analysis if needed.

Read a detailed analysis of Laplas Clipper in our blog.

Laplas process dump ANY.RUN lets you download a process dump of the analyzed sample

Distribution methods of the Laplas Clipper malware

Phishing emails are commonly used by criminals as the first step in multi-stage attacks that ultimately lead to LaplasClipper infection. These attackers often create emails that are misleading and deceive individuals into opening attachments that contain harmful files. For instance, attackers have been observed to pose as CoinPayments, a well-known cryptocurrency payment gateway, and request users to download a .zip folder. By executing the files from the archive, users inadvertently install Laplas Clipper on their systems.

Conclusion

Laplas is a newly developed malware that poses a serious threat to crypto holders worldwide. The malicious actors behind Laplas attacks have been successful in stealing substantial amounts of virtual coins. Therefore, individuals and companies that deal with cryptocurrencies must exercise extra caution when opening email attachments from unknown senders and suspicious files from untrusted sources. To ensure the safety of a document or link, it is recommended to use ANY.RUN. This platform provides conclusive verdicts on the malicious behavior of files and URLs and generates detailed reports, containing IOCs and configs for future detection of the threat.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Lynx screenshot
Lynx
lynx
Lynx is a double extortion ransomware: attackers encrypt important and sensitive data and demand a ransom for decryption simultaneously threatening to publish or sell the data. Active since mid-2024. Among techniques are terminating processes and services, privilege escalation, deleting shadow copies. Distribution by phishing, malvertising, exploiting vulnerabilities.
Read More
Phorpiex screenshot
Phorpiex
phorpiex
Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit.
Read More
PureCrypter screenshot
PureCrypter
purecrypter
First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
Grandoreiro screenshot
Grandoreiro
grandoreiro
Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.
Read More
Sality screenshot
Sality
sality
Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.
Read More