[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fNOr3vwapvoezMXz6ZxJvNEQ7CRJDXyvld1_TrSOGB2I":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":26,"created_at":27,"published_at":28,"article":29,"tags":32},"479b0e7d-28f4-471f-b857-1ee21782e143","usb-lnk-worm-deploys-crypto-clipper-via-tor-based-c2","afeabea2-ca31-411f-91dc-cc94227df956","USB LNK Worm Deploys Crypto Clipper via Tor-Based C2","This campaign exploits user interaction with USB devices to spread a LNK-based worm that silently deploys a cryptocurrency clipper, demonstrating how physical media remains a potent initial access vector. The malware substitutes clipboard wallet addresses and exfiltrates screenshots, meaning victims lose funds without obvious indicators of compromise. By routing C2 traffic through a bundled Tor proxy, the attackers effectively evade network-level detection and domain blocklists. This matters because cryptocurrency transactions are irreversible, making prevention and early detection the only meaningful defenses — post-theft recovery is rarely possible.","**Immediate actions:**\n- Disable AutoRun\u002FAutoPlay for all removable media via Group Policy to prevent LNK worm execution on USB insertion.\n- Block or restrict Tor traffic at the network perimeter using firewall rules and DNS filtering to cut off C2 communication.\n- Deploy endpoint detection rules that alert on clipboard-monitoring processes and unexpected screenshot activity.\n\n**Long-term improvements:**\n- Enforce application whitelisting (e.g., via Windows Defender Application Control) to prevent execution of unsigned or unknown binaries dropped by worms.\n- Implement USB device control policies that restrict which removable media can be mounted based on device ID or hardware class.\n- Conduct regular user training on the risks of untrusted USB devices, including simulated USB drop exercises.\n\n**Detection measures:**\n- Monitor and alert on processes that access clipboard APIs at high frequency, particularly those spawned from removable media paths.\n- Establish network baseline monitoring to flag anomalous encrypted outbound connections, especially to known Tor entry nodes.\n- Enable and centralize Windows Event Logs (Process Creation, Network Connections) and feed them into a SIEM for correlation against IOC feeds.",[12,13,14,15,16,17,18,19,20,21,22,23,24,25],"CIS Control 10 – Malware Defenses","CIS Control 13 – Network Monitoring and Defense","CIS Control 6 – Access Control Management (removable media)","NIST SP 800-53 SC-18 – Mobile Code","NIST SP 800-53 SI-3 – Malicious Code Protection","NIST SP 800-53 AU-12 – Audit Record Generation","NIST SP 800-53 SC-7 – Boundary Protection","NIST Cybersecurity Framework DE.CM-1 – Network Monitoring","NIST Cybersecurity Framework PR.AT-1 – User Awareness Training","ISO\u002FIEC 27001 A.8.19 – Installation of Software on Operational Systems","ISO\u002FIEC 27001 A.6.7 – Remote Working (endpoint hygiene)","MITRE ATT&CK T1115 – Clipboard Data","MITRE ATT&CK T1091 – Replication Through Removable Media","MITRE ATT&CK T1090.003 – Proxy: Multi-hop Proxy (Tor)","published","2026-06-18T16:20:42.193525+00:00","2026-06-18T16:20:41.907+00:00",{"id":7,"url":30,"title":31},"https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fmicrosoft-details-windows-clipper.html","Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2",[33,39,45],{"id":34,"name":35,"slug":36,"description":37,"color":38},"1732a005-556e-411c-a9db-5edec3058571","Logging & Monitoring","logging-monitoring","Missing logs, no alerting, blind spots","#a855f7",{"id":40,"name":41,"slug":42,"description":43,"color":44},"7261eb8f-acd4-4d93-a489-7fdd652ec0ea","Security Awareness","security-awareness","Phishing, social engineering, human error","#22c55e",{"id":46,"name":47,"slug":48,"description":49,"color":50},"859cf0ad-a7e9-42bb-a75d-bac6511fa5d5","Configuration Management","configuration-management","Misconfigs, default credentials, exposed services","#eab308"]