Clipsa Description

The Clipsa malware is a threat, which falls in the category of password collectors. The activity of the Clipsa malware seems to be concentrated in several regions – Brazil, India and the Philippines. The Clipsa malware project appears to be in its early stages, and it is likely that its authors may further weaponize this threat.

Propagation Method

The creators of the Clipsa malware have opted to disguise their threat as a fake media player or a fraudulent codec pack. The users are urged to install it if they want to be able to view the content on the website. Users online should be very wary of Web pages that require you to install additional software in order to view their contents as this is a commonly used trick to propagate various types of malware.


The Clipsa malware will store its corrupted files in system directories, and then gain persistence by configuring the Windows Registry to starts its files whenever Windows boots up automatically. This threat is able to plant a cryptocurrency miner on the compromised machine. However, the Clipsa malware uses a cunning technique to ensure that the crypto-currency miner will not be spotted by the user. This threat will scan the running, as well as the opened windows every ten seconds. The goal of the scan is to determine if the user has opened the Task Manager or initialized Process Hacker or Process Explorer because these applications will show the user the CPU usage. When a cryptocurrency miner is working, the CPU usage goes through the roof, and it is very likely that the victim may notice that something smells fishy. If such processes are detected, the Clipsa malware will cease its activity immediately.


The Clipsa malware is mainly used to collect login credentials from its victims. However, it has some other capabilities too. Systems infected by the Clipsa malware will execute a script that scans the Internet for WordPress websites that are vulnerable to brute force attacks periodically. If the scan returns valid login credentials for a particular WordPress page, Clipsa will transfer the URL, username, and password to the attacker's control server. The Clipsa malware also monitors the clipboard on the compromised host, and if it detects that the user has copied a cryptocurrency wallet's address, it will erase it and replace it with a wallet that belongs to the attackers. Malware researchers spotted that the Clipsa malware is sometimes delivered with a '.dat' file, which has several thousand Ethereum and Bitcoin wallets, which are all used by the authors of this threat. It appears that the shady operations of the creators of the Clipsa malware have been fruitful – the attackers have generated more than 55 ETH (~$12,000).

Despite this threat being fairly new, it is already showing signs that it may cause headaches to many people around the world. Make sure that you have a legitimate anti-malware application, which will keep your system safe from nasty threats like the Clipsa malware.

Do You Suspect Your PC May Be Infected with Clipsa & Other Threats? Scan Your PC with SpyHunter

SpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Clipsa as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Note: SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. Free Remover allows you to run a one-off scan and receive, subject to a 48-hour waiting period, one remediation and removal. Free Remover subject to promotional details and Special Promotion Terms. To understand our policies, please also review our EULA, Privacy Policy and Threat Assessment Criteria. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
If you still can't install SpyHunter? View other possible causes of installation issues.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.