Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2

Summary

Microsoft has detailed a Windows-based cryptocurrency clipper campaign active since February 2026. The malware uses a USB LNK worm to spread, hides documents, and then deploys a clipper that steals cryptocurrency wallet information. It leverages a bundled Tor proxy for C2 communication, enabling high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution.

Full text

Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2 Ravie LakshmananJun 18, 2026Malware / Cryptocurrency Microsoft has disclosed details of a Windows-based cryptocurrency clipper campaign that has targeted users since February 2026. "The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 [command-and-control] server," the Microsoft Defender Security Research Team said in an analysis published Tuesday. "It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution." "The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure. Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor." Clipper malware refers to a type of malicious software that silently monitors a user's clipboard and intercepts sensitive data pasted into the short-term buffer. It primarily targets cryptocurrency transactions by substituting wallet address strings that match known blockchain address patterns to reroute them to addresses under their control. The attacks involve distributing a malicious Windows Shortcut (LNK) file via USB storage devices, opening which triggers a worm component that checks is the machine is already infected and only proceeds to fetch the payload from a remote server if it's not present. A second module deployed is the clipper that harvests and exfiltrates cryptocurrency wallet information. The LNK payload scans the USB device for common document types like DOC, XLSX, and PDF, and if found, hides them and creates new LNK files with the same file names and containing arguments that line to the worm component. Thus, when an unsuspecting user launches the shortcut thinking they are opening a harmless document, it triggers the execution of the malware. The worm component, besides ensuring propagation to other uncompromised USB drives, deploys scheduled tasks as a form of persistence for both the worm component and the stealer component. The clipper, for its part, uses WScript and ActiveXObject to interact with the operating system, and exits if Task Manager is among the list of actively running processes to evade detection. In the final stage, the malware launches a renamed Tor binary in a hidden window, generates a unique victim identifier, and registers it with the external server. Once this step is complete, the malware enters a continuous loop, periodically polling the C2 server for instructions while simultaneously monitoring the clipboard about every 500 milliseconds to extract seed phrases and private keys. "It also hijacks cryptocurrency addresses by replacing copied wallet values with attacker-controlled alternatives and uploads screenshots through Tor," Microsoft said. "If the C2 returns an EVAL response, the malware executes attacker-supplied code at runtime." The tech giant has recommended that defenders prioritize behavioral detections over static signatures, specifically looking for PowerShell-based screen capture and the use of WScript, CScript, or related script engines for launching curl, cmd.exe, PowerShell, or unexpected executables. Other mitigations include disabling AutoRun/AutoPlay for all removable media, blocking LNK execution from removable drives via Group Policy Objects (GPOs), restricting unnecessary use of wscript.exe or cscript.exe, and review clipboard-related and screen-capture behaviors on devices handling sensitive financial workflows. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  clipboard hijacking, Command and Control, cryptocurrency, Malware, Tor Network ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Indicators of Compromise

• malware — Windows Clipper
• malware — USB LNK Worm

Entities