Full Report
Microsoft has disclosed details of a Windows-based cryptocurrency clipper campaign that has targeted users since February 2026 with clipboard-intercepting malware with self-spreading capabilities and using the Tor anonymity network to hide communication. "The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2
Analysis Summary
# Tool/Technique: Windows Clipper & USB LNK Worm
## Overview
This is a multi-stage malware campaign targeting cryptocurrency users. It combines a worm-like propagation mechanism via USB LNK files with a sophisticated "clipper" payload. The malware monitors the system clipboard to substitute cryptocurrency wallet addresses and uses the Tor network to anonymize its Command and Control (C2) communications, effectively serving as both a stealer and a lightweight backdoor.
## Technical Details
- **Type:** Malware (Clipper / Worm / Backdoor)
- **Platform:** Windows
- **Capabilities:** Clipboard hijacking, self-propagation (USB), screenshot exfiltration, Remote Code Execution (RCE), C2 communication via Tor.
- **First Seen:** February 2026 (Reported June 2026)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1091 - Replication Through Removable Media]
- **[TA0003 - Persistence]**
- [T1053.005 - Scheduled Task/Job: Scheduled Task]
- **[TA0005 - Defense Evasion]**
- [T1564.003 - Hide Artifacts: Hidden Window]
- [T1497.001 - Virtualization/Sandbox Evasion: System Checks (Task Manager check)]
- **[TA0009 - Collection]**
- [T1115 - Clipboard Data]
- [T1113 - Screen Capture]
- **[TA0011 - Command and Control]**
- [T1573.002 - Encrypted Channel: Asymmetric Cryptography (Tor)]
- [T1090.003 - Proxy: Multi-hop Proxy]
## Functionality
### Core Capabilities
- **USB Worm Propagation:** Scans USB drives for documents (PDF, DOC, XLSX), hides them, and replaces them with malicious LNK files that mimic the original files.
- **Clipboard Monitoring:** Polls the Windows clipboard every 500ms to identify and replace cryptocurrency wallet addresses with attacker-controlled addresses.
- **Tor-Based C2:** Bundles a portable Tor client to route all C2 traffic through a local SOCKS5 proxy to a hidden service (.onion), bypassing traditional IP-based filtering.
### Advanced Features
- **Evasion Logic:** Automatically terminates if "Task Manager" is detected as a running process.
- **Remote Code Execution:** Supports an "EVAL" command from the C2 server, allowing the attacker to execute arbitrary code on the victim's machine at runtime.
- **Self-Sufficiency:** Uses Windows Script Host (WScript) and ActiveXObject logic to interact with the OS without needing complex traditional installers.
## Indicators of Compromise
- **File Hashes:** [Not specifically provided in article text; refer to Microsoft Defender report]
- **File Names:** Renamed Tor binaries (often running in hidden windows), malicious LNK files on USB drives.
- **Registry Keys:** [Not specified in text; check Microsoft Defender analysis for specific keys]
- **Network Indicators:**
- Local SOCKS5 proxy traffic (typically port 9050 or similar).
- Outbound connections to Tor entry nodes.
- Hidden service C2 [Defanged: hxxp[://]exampleonionaddress[.]onion]
- **Behavioral Indicators:**
- Creation of scheduled tasks for persistence.
- Frequent clipboard polling.
- Mass modification of files on removable media (hiding original files).
## Associated Threat Actors
- Currently unattributed (Financially motivated campaign).
## Detection Methods
- **Signature-based:** Detect bundled Tor binaries and malicious LNK templates.
- **Behavioral detection:**
- Monitor for WScript/ActiveX logic attempting to initiate network connections.
- Identify PowerShell-based screen capture activity.
- Detect rapid file renaming/hiding attributes on USB storage devices.
- **YARA rules:** Target the specific LNK argument patterns and the ActiveX-driven clipper logic.
## Mitigation Strategies
- **Removable Media Policy:** Disable AutoRun/AutoPlay and restrict the use of unauthorized USB devices.
- **Scripting Restrictions:** Disable or restrict Windows Script Host (WScript) and PowerShell for non-administrative users where possible.
- **Endpoint Protection:** Use modern EDR/Antivirus solutions that prioritize behavioral analysis (e.g., detecting unauthorized clipboard modification).
- **Network Filtering:** Block known Tor entry/exit nodes at the enterprise firewall level if Tor is not a requirement for business operations.
## Related Tools/Techniques
- **LNK Worms:** Similar to techniques used by Raspberry Robin or Gamarue.
- **Clippers:** Common in "Combo" stealers like RedLine or Vidar, but rarely seen with self-propagation components.