Security firm Kasperksy has uncovered a fake Microsoft Office crypto scam. In the scam, the malware takes the form of sophisticated Microsoft Office add-ins.

They uploaded the malicious software to SourceForge, using descriptions taken straight from the descriptions that are typed into genuine GitHub projects. It is mostly meant to be used by those who are searching for Microsoft Office extensions and tools.

Key-Takeaways:

• The ‘officepackage’ scam is using a fake Microsoft Office add-in located on trusted platforms like SourceForge. Deceptive file sizes and descriptions are how it manipulates users searching for Office extensions.
• The ClipBanker malware changes the contents of the clipboard to point to attackers’ wallet addresses instead, allowing funds to be claimed. For users, addresses need to be verified, and extra security needs to be added to protect the cryptocurrency.

How the Fake Microsoft Office Crypto Scam Operates

The fake Microsoft Office crypto scam called ‘officepackage’ has a professional-looking interface with listings of office apps, their version numbers, and download buttons. Victims clicking these buttons are taken to a ‘page’ that shows them a download link for a password-protected archive.

Every paranoid digital user knows how familiar it is to find on their PC some sort of malware that will poison user attention with lots of alerts, buttons, and fake notifications in order to catch your attention. There are concerns about its actual intentions due to these characteristics.

Real office applications, even when compressed, should not be that small—at least seven megabytes in the scam case, which Kaspersky noted as a red flag with the initial downloads. Some zip files are downloaded and expand to over 700 megabytes.

The reason the files are so large is because the attackers employ a ‘pumping technique’ to fill the files with rubbish in order to make them appear more legitimate to incautious users.

Since the websites hosting the Fake Microsoft Office crypto scam downloads are well indexed by search engines and these sites are coming up first in search results, this scam is especially dangerous. That visibility results in a greater likelihood that the scammers can scam users hunting for Microsoft Office add-ons.

ClipBanker: The Core of the Fake Microsoft Office Crypto Scam

The fake Microsoft Office crypto scam is based around the malware variant ClipBanker. According to Kaspersky, the ClipBanker malware replaces addresses for the cryptocurrency wallet that is in the clipboard and replaces it with the addresses of the attackers.

The advantage of this method is especially that cryptocurrency users tend to copy and paste wallet addresses in order to not make mistakes and therefore become susceptible to this type of attack.

The malware replaces the cryptocurrency wallet addresses that are copied to the clipboard when infected with the ClipBanker trojan of the Fake Microsoft Office crypto scam. 

When the victim pastes the address in order to complete the transaction, the funds will be transferred to the attacker instead of the recipient. Most users don’t use long strings of random characters to address to something, but to cryptocurrency addresses they have the same effect.

Aside from crypto theft, the Fake Microsoft Office crypto scam also carries further security risks. All the sensitive device information such as IP addresses, geographical locations, and usernames are being collected by the malware and then sent to the attackers through Telegram.

So Kaspersky warns that the attackers may sell off system access to even more dangerous people, resulting in even more attacks and not just cryptocurrency theft.

Distribution of the Fake Microsoft Office Crypto Scam

The telemetry data Kaspersky has collected suggests that the Fake Microsoft Office crypto scam is mostly aimed at Russian-speaking users. Of the potential victims, they turned around and figured out that 90 percent lie in Russia and 4,604 users were exposed to the scam between January and March 2025, according to their research.

More evidence that it’s to Russian-speaking victims: the malicious software’s interface is also in Russian.

Fake Microsoft Office crypto scam uses users to distribute the files through a strategy that takes advantage of people’s habit to search for software from non-official resources. 

Kaspersky explained users begin looking for ways to download applications aside from official sources; attackers are out with their own, “They are continuously trying to find new tricks to render their websites as official.”

This is effective because the Fake Microsoft Office crypto scam, supposedly from SourceForge, is a real platform for hosting software projects. By infiltrating platforms that already exist, the scammers acquire some legitimacy that wouldn’t be possible with entirely fabricated websites.

How To Protect Your System Against the Fake Microsoft Office Crypto Scam

Kaspersky recommends not falling victim to the Fake Microsoft Office crypto scam and similar threats. Because when there are no official channels available, users have to take extreme caution since it inherently comes with higher security risks when users choose to download from alternative sources.

To keep ClipBanker and other threats from stealing users’ cryptocurrency, they should adopt further security measures. These include:

1. Checking the address you paste always and especially if you’ve copied from what’s appeared to be a legit source
2. Add additional verification in the form of ‘hardware wallets’ whenever possible.
3. Another thing that you can do is to install some reputed security software that can record and stop clipboard hijacking attempts.
4. Cryptocurrency exchanges and wallets should be used with two factor authentication
5. The regular system scans to detect possible malware infection.

However, the Fake Microsoft Office crypto scam focuses on the evolution of attackers’ tactics to reach cryptocurrency holders. They have created a very simple yet effective way to steal funds by using legitimate-looking software from trusted platforms such as SourceForge and copying data using clipboard hijacking.

Conclusion

The growing threat landscape targeting cryptocurrency users is just one example of the increase in fake Microsoft Office crypto scam, as well as the risk of downloading software and carrying out cryptocurrency transactions, as digital life becomes more dangerous.