ALERT!
Click here to register with a few steps and explore all our cool stuff we have to offer!
Home
Upgrade
Credits
Help
Search
Awards
Achievements
Demon Forums    Hacking    Hacking Tutorials    ZeroTraceClipper — RAM-Only Crypto Clipper | 45s Memory-Live Payload Breakdown
 649

ZeroTraceClipper — RAM-Only Crypto Clipper | 45s Memory-Live Payload Breakdown

by AstraLoom - 04-20-2025 - 10:04 PM
AstraLoom 
DF Member
Posts:5
Threads:3
Reputation 0
0
Rep
0
Likes
DF Member
Posts: 5
Threads: 3
Joined: Apr 2025
Vouches: 0
Credits: 0

#1
OP04-20-2025 - 10:04 PM
Subscribe
Disclaimer: This post is for educational and research purposes only. No binaries, loaders, or malware will be shared. This is a breakdown of behavior and implementation logic only.
This post explains how ZeroTraceClipper operates —> a simulated RAM-only crypto clipper that executes, swaps clipboard values, and self-wipes from memory in under a minute.
The design focus is clean:
  • No persistence
  • No files dropped
  • No log traces
  • Memory-only execution
  • Wipes itself clean after 1 hit or 45 seconds
1. Clipboard Hooking (stealth method)
Uses
Code:
SetClipboardViewer()
instead of
Code:
SetWindowsHookEx()
avoiding hook detection. If that fails, falls back to clipboard polling with
Code:
GetClipboardData()
 
  • No UI window
  • No user interaction
  • Low CPU footprint
  • Silent monitoring
2. Regex Wallet Detection
Scans clipboard buffer with regex patterns like:
  • BTC:
    Code:
    1[a-km-zA-HJ-NP-Z1-9]{25,34}
  • ETH:
    Code:
    0x[a-fA-F0-9]{40}
Wallets are stored in memory (not in plain strings), and matched using lightweight C logic.
3. Instant Replace Mechanism
Once a match is found, it wipes the clipboard and inserts the attacker’s address using:
  • Code:
    OpenClipboard()
  • Code:
    EmptyClipboard()
  • Code:
    SetClipboardData()
No pop-up, no feedback. User pastes and doesn’t notice the swap unless manually checking.
4. Self-Wipe After Trigger
If it swaps once, or if 45 seconds pass without a hit, the payload:
  • Clears heap and stack regions
  • Calls
    Code:
    VirtualFree()
  • Overwrites stub with junk
  • Executes
    Code:
    ExitProcess()
For reflectively loaded builds,
 
Code:
RtlSecureZeroMemory()
is used to wipe mapped shellcode in memory. No trace left.
5. Optional Shellcode Variant (not included)
Using Donut or sRDI, the .exe can be converted into pure shellcode. This allows injection directly into memory with
 
Code:
VirtualAlloc()

 
Code:
CreateRemoteThread()
or
 
Code:
NtCreateThreadEx()

Still memory-only, still vanishing after one use.
This is not malware. It’s a demonstration of how a clipboard-based attack could be implemented in a fileless way — for defensive research, red team education, and detection bypass analysis only.

AstraLoom
Thinking of turning this into a fully modular RAM-only clipper toolkit for research & red team simulation.
Would include:
  • Builder (custom wallet injection)
  • Shellcode output (for memory-only deployment)
  • Manual self-wipe timer config
  • Optional C2 pingback (encrypted, research-only sandboxed callback)
Not for illegal use — this would be a red team simulation drop to study clipboard hijack TTPs in memory-only malware.
Should I drop it here for the community to test + learn from?
Comment or DM if you're into this kind of low-footprint malware simulation.

AstraLoom
Reply
AstraLoom 
DF Member
Posts:5
Threads:3
Reputation 0
0
Rep
0
Likes
DF Member
Posts: 5
Threads: 3
Joined: Apr 2025
Vouches: 0
Credits: 0

#2
OP04-20-2025 - 10:18 PM
Subscribe
For those asking how detection works, here’s a lightweight version of the BTC/ETH wallet matcher:
 
Code:
// DetectCrypto.c (simplified)
char* DetectCrypto(char* clip) {
    size_t len = strlen(clip);
    
    // BTC starts with 1 or 3, length 26–35
    if ((clip[0] == '1' || clip[0] == '3') && len >= 26 && len <= 35)
        return "BTC_HIT";

    // ETH starts with 0x, length exactly 42
    if (len == 42 && strncmp(clip, "0x", 2) == 0)
        return "ETH_HIT";

    return NULL;
}

I built it to run memory-only, no logs, and wipes itself after one hit or 45s.
Might release the reflective shellcode-ready version if there's enough interest.

AstraLoom
Reply
AstraLoom 
DF Member
Posts:5
Threads:3
Reputation 0
0
Rep
0
Likes
DF Member
Posts: 5
Threads: 3
Joined: Apr 2025
Vouches: 0
Credits: 0

#3
OP04-21-2025 - 05:29 AM
Subscribe
I just dropped a lightweight clipboard sniffer called LiteTraceClip v0.1 in the Hacking Tools & Programs section. It’s a preview of a bigger project I’m building (ZeroTraceClipper) ->> this version just monitors the clipboard for BTC and ETH wallet formats and logs any hits. No payloads, no swap, no C2 — >> just clean detection logic. Perfect for sandbox testing or anyone building out their own clipper module.
Reply
LunarBoy999 
DF Member
Posts:29
Threads:0
Reputation 0
0
Rep
0
Likes
DF Member
Posts: 29
Threads: 0
Joined: Apr 2025
Vouches: 0
Credits: 0

#4
04-23-2025 - 02:10 PM
Subscribe
Niiiiiiiiiiiceeeeee
Reply

Users browsing: 1 Guest(s)

About Us

DemonForums is a community forum that suits basically everyone. We provide cracking tutorials, tools, leaks, marketplace and much more stuff! You can also learn many things here, meet new friends and have a lot of fun!
If you would like to contact us, you can send our staff team a message.

Navigation

Extras

Help

Account