CryptoCurrency Clipboard Hijackers works by monitoring the Windows clipboard for cryptocurrency addresses. If one is detected, the malware will swap it out with an address that they control. Unless a user double-checks the address after they paste it, the sent coins will go to an address under the attackers control instead of the intended recipient. This infection was spotted as part of the All-Radio 4.27 Portable malware package that was distributed this week. It runs in the background with no indication that it is even running.
Source: https://www.bleepingcomputer.com/news/security/clipboard-hijacker-malware-monitors-23-million-bitcoin-addresses/