A Windows app advertised as a microphone-clarity tool is in fact a remote access trojan that quietly raids the machine it is installed on. The installer, distributed from a site named for the fake product (clearmic[.]net), looks like an ordinary audio utility but bundles a second, hidden program that runs in the background and ships the victim's most sensitive data to a remote server. Analysts who reverse-engineered it describe a textbook information stealer that is built to evade analysis.
Passwords, wallets, and live surveillance
Once running, the trojan goes after saved data from Chromium-based browsers including Chrome and Brave, pulling login credentials, cookies, browsing history, and autofill data across multiple user profiles. It then targets cryptocurrency wallets, with hard-coded paths for Exodus, Atomic Wallet, Electrum, and Coinomi among others. On top of that it logs keystrokes, captures the screen, hijacks the clipboard (a common trick for swapping a copied wallet address for the attacker's own), and records microphone audio, before sending everything to its command-and-control server. Researchers identified that server as zzzvvvzzz[.]com, which was offline at the time of analysis.
Anti-recovery and evasion built in
The malware is packaged with PyInstaller, meaning its logic is written in Python and bundled into a Windows executable, and reverse engineers noted the code appears largely AI-generated. A public sandbox analysis of the installer (ClearMicInstaller.msi, SHA-256 adfe8cc0ea1e25845b4dccdf2221a6ae6a770256380022c040e0a71503a1e344) shows it dropping its real payload and registering a startup entry disguised as "Windows Network Manager.exe" so it relaunches on every reboot. More aggressively, it deletes Windows Volume Shadow Copies, the snapshots the system uses to restore files, which is standard ransomware behavior meant to block recovery. It also checks whether it is running inside a sandbox or analysis environment and holds back if it believes it is being watched.
What to do
Stealers like this are increasingly delivered as fake productivity or media apps rather than obvious cracks or pirated software, the same shift seen with other recent crypto-wallet stealers and commodity infostealer operations. Do not download "ClearMic" or install anything from clearmic[.]net. If the app was already run, treat the device as fully compromised: disconnect it from the network, run a reputable malware scanner, and from a separate clean device change every saved password, starting with email, financial accounts, and any cryptocurrency services, then move wallet funds to new addresses. The full behavioral breakdown is available in this public sandbox report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.