Threat actors are offering an International Bank Account Number (IBAN) Clipper malware on an underground forum with a monthly subscription model that is designed to target Windows-based systems.

IBAN Clipper

Cyble discovered IBAN Clipper performing unauthorized swapping operations. 
  • It targets a victim’s clipboard to carry out unauthorized swapping operations by swapping the victim’s data with the attacker's data to perform financial theft.
  • If an IBAN is spotted in the clipboard, the clipper replaces it with the number given by the attacker. It obtains the IBAN details from a text file hosted on the remote server of the attacker.

Technical details

One of the IBAN Clipper samples identified is a 32-bit DotNET-based binary targeting Windows-based systems.
  • Technically speaking, the clipper imports the User32 library and uses AddClipboardFormatListener to monitor changes in the victim's clipboard.
  • IBAN Clipper uses a multithreading way for quick clipper operation and extracts clipboard data to retrieve text data from the clipboard in ASCII Text or UnicodeText format, based on the OS of the target machine.

Persistence tactics

  • The malware looks for an executable path using getexecutingassembly().location technique and copies itself in the Windows startup folder for automatically running whenever the user logs in.
  • Further, the clipper adds two registry values (Microsoft Store and Skype Web) at certain locations to allow the OS to run these clippers automatically whenever the system restarts.


Cybercriminals are now creating more advanced malicious threats to perform financial cybercrime. For example, the use of IBAN Clipper to perform fraudulent financial transactions is apparently an innovative idea along the same lines as the pastejacking malware that perform swapping of crypto addresses. To stay safe, banking customers and general users are suggested to follow some standard recommendations, such as using strong passwords and reliable anti-malware solutions.
Cyware Publisher