Microsoft has identified a cryptocurrency clipper malware campaign, active since February 2026, that combines USB-based propagation, a Tor-hidden command-and-control infrastructure, and remote code execution capabilities.
The malware steals cryptocurrency seed phrases and private keys while silently replacing wallet addresses copied to the clipboard with attacker-controlled alternatives.
Microsoft found that the threat goes beyond traditional crypto-clippers, functioning as both a cryptocurrency stealer and a lightweight backdoor. By bundling its own Tor client and communicating exclusively through hidden .onion services, the malware conceals its infrastructure while maintaining persistent access to infected devices.
Microsoft said infections begin through malicious Windows shortcut (.lnk) files distributed on USB storage devices. Once executed, the malware installs two components: a worm that spreads to additional removable drives and a clipper module designed to harvest and exfiltrate cryptocurrency-related data.
USB-based propagation
The worm component scans connected USB devices for commonly used documents, including Word, Excel, and PDF files. The original files are hidden and replaced with malicious shortcut files that share the same names, making it difficult for users to distinguish legitimate documents from malware-laced shortcuts.
When victims open one of these shortcuts, the malware deploys additional payloads under randomly named folders in C:\Users\Public\Documents and establishes persistence using scheduled tasks. It also attempts to evade detection by creating antivirus exclusions for its staging directories and execution files.
Researchers noted that all malware components are heavily obfuscated. The installer is packaged using PyInstaller and protected with PyArmor, while the JavaScript-based payloads use multiple layers of encryption and runtime decryption to hinder analysis.
Before activating, the malware performs a simple anti-analysis check by looking for Windows Task Manager processes and terminating itself if one is detected.
Data theft and remote code execution
The clipper component relies on Windows Script Host and ActiveX objects to interact with the operating system. After launching a bundled Tor client named ugate.exe, it waits for the network connection to initialize before registering the infected device with a hidden-service command-and-control server.
The malware then continuously polls its operators for instructions while monitoring clipboard contents approximately every 500 milliseconds. Microsoft observed the malware searching for cryptocurrency seed phrases, Ethereum private keys, Bitcoin Wallet Import Format (WIF) private keys, and wallet addresses.
Captured seed phrases and private keys are transmitted to attackers through Tor-routed communications. The malware also captures screenshots at regular intervals and uploads them to provide additional context about the victim's cryptocurrency activity.
Like many crypto clippers, the malware hijacks transactions by replacing copied wallet addresses with attacker-controlled alternatives. Microsoft found support for multiple cryptocurrency formats, including Bitcoin, Monero, and Tron addresses. To reduce the likelihood of detection, replacement addresses are crafted to partially resemble the originals by matching specific leading or trailing characters.
Researchers also discovered an EVAL command that allows operators to download and execute arbitrary JavaScript code from the command-and-control server. This capability effectively transforms the malware from a simple cryptocurrency stealer into a lightweight backdoor that can execute additional payloads on compromised systems.
Defenders should monitor for suspicious use of WScript, PowerShell-based screen-capture activity, Tor traffic routed through localhost:9050, clipboard-inspection behavior, and unusual curl.exe executions with SOCKS5 proxy parameters.
Organizations are advised to disable AutoRun and AutoPlay on removable media, restrict execution of .lnk files from USB drives where possible, limit unnecessary use of script interpreters such as wscript.exe and cscript.exe, and investigate systems exhibiting local Tor proxy activity.
Leave a Reply