1. Initial Access and Obfuscated Execution
The attack sequence begins when a target downloads a zip file masquerading as legitimate files, such as premium media accounts or corporate resources. Inside this archive is an internet shortcut file designed to look like a simple document or credential list. When executed, the shortcut file runs the system command interpreter utilizing caret symbol obfuscation to bypass basic security monitoring tools. The command script establishes a hidden working directory inside the user application data directory and immediately downloads a secondary VBScript loader from the attacker delivery infrastructure.
2. Environment Preparation and Payload Retrieval
The downloaded loader performs several parallel operations to ensure successful payload execution while minimizing detection risks:
Decoy Deployment: The script drops a decoy text file containing fake credential information and opens it in Notepad, distracting the user while the actual malicious processes run silently in the background.
Runtime Installation: The loader silently downloads and configures a portable Python environment from official repositories. It then installs required third-party libraries including pyperclip, requests, and pyautogui to facilitate clipboard manipulation and remote communications.
Orchestrator Execution: The script fetches and launches the core Python orchestrator script, which coordinates the next phases of the compromise.
3. Multi-Stage Payload Delivery
The primary orchestrator script handles the retrieval of secondary specialized tools. On Windows endpoints, it creates an encoded PowerShell script wrapped inside a temporary VBScript file. This PowerShell module makes remote requests to the primary delivery domain to pull down compressed archives containing the clipboard clipper and the credential harvester modules. On macOS endpoints, the orchestrator establishes persistence by creating a custom launch agent configuration file in the user library directory, ensuring the threat remains active across system reboots.
4. The Clipper and Harvester Modules
Unlike standard ransomware that immediately begins encrypting files, CRPxO prioritizes silent monetization through data theft and transaction hijacking:
Clipboard Clipper: The malware runs a continuous background monitoring routine that scans the system clipboard for copied text. Utilizing precise regular expressions, it identifies cryptocurrency wallet addresses belonging to networks like Bitcoin, Ethereum, and Solana. When a match is detected, the malware contacts the remote command interface and replaces the user's copied address with an attacker-controlled wallet, hijacking subsequent transactions.
Seed Phrase Harvester: The harvester script scans the local hard drives and directories for plaintext wallet recovery seeds, configuration files, and stored keys. The exfiltrated data is zipped and transmitted back to the primary command server via web POST requests, potentially compromising all crypto assets linked to the system.
5. Ransomware Encryption and Double Extortion
Once the initial data theft and clipboard hijacking phases are completed, the operators trigger the encryption sequence. The stager retrieves a dedicated encryption module which utilizes the Fernet cryptographic standard for robust AES file encryption. The unique encryption key generated for each system is transmitted back to the command and control server. The malware appends the specific file extension to all encrypted files while skipping critical operating system directories to prevent complete system crashes. To enforce payment, the malware modifies the system desktop wallpaper and drops highly structured ransom notes written in English, Russian, and Chinese, threatening to publish the exfiltrated corporate files on their public leak sites if the ransom is not paid within the designated timeline.