Microsoft has disclosed details of a Windows-based cryptocurrency clipper campaign that has targeted users since February 2026.
“The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 [command-and-control] server,” the Microsoft Defender Security Research Team said in an analysis published Tuesday. “It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution.”
“The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure. Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor.”
Clipper malware refers to a type of malicious software that silently monitors a user’s clipboard and intercepts sensitive data pasted into the short-term buffer. It primarily targets cryptocurrency transactions by substituting wallet address strings that match known blockchain address patterns to reroute them to addresses under their control.
The attacks involve distributing a malicious Windows Shortcut (LNK) file via USB storage devices, opening which triggers a worm component that checks is the machine is already infected and only proceeds to fetch the payload from a remote server if it’s not present. A second module deployed is the clipper that harvests and exfiltrates cryptocurrency wallet information.
The LNK payload scans the USB device for common document types like DOC, XLSX, and PDF, and if found, hides them and creates new LNK files with the same file names and containing arguments that line to the worm component. Thus, when an unsuspecting user launches the shortcut thinking they are opening a harmless document, it triggers the execution of the malware.
The worm component, besides ensuring propagation to other uncompromised USB drives, deploys scheduled tasks as a form of persistence for both the worm component and the stealer component. The clipper, for its part, uses WScript and ActiveXObject to interact with the operating system, and exits if Task Manager is among the list of actively running processes to evade detection.
In the final stage, the malware launches a renamed Tor binary in a hidden window, generates a unique victim identifier, and registers it with the external server. Once this step is complete, the malware enters a continuous loop, periodically polling the C2 server for instructions while simultaneously monitoring the clipboard about every 500 milliseconds to extract seed phrases and private keys.
“It also hijacks cryptocurrency addresses by replacing copied wallet values with attacker-controlled alternatives and uploads screenshots through Tor,” Microsoft said. “If the C2 returns an EVAL response, the malware executes…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
