Crypto Clipper Uses Tor and Worm-Like Propagation for Persistence and Control

Microsoft Threat Intelligence has identified a Windows-based cryptocurrency clipper that has been active since February 2026. The malware, tracked as Trojan:Win32/CryptoBandits.A, uses a portable Tor client to communicate with a hidden-service command-and-control (C2) server, making it difficult to track. It also employs worm-like propagation via USB drives to spread across devices.

The attack chain begins with malicious shortcut (.lnk) files distributed on USB storage devices. When a user clicks the shortcut, it stages a worm component that scans for common document files, hides the originals, and creates additional malicious shortcuts. These shortcuts execute a payload that deploys two JavaScript files for the clipper/stealer component. The malware uses Windows Script Host and ActiveXObject to interact with the operating system.

Once executed, the clipper performs high-frequency clipboard monitoring every 500 milliseconds, extracting seed phrases, private keys, and cryptocurrency addresses. It also hijacks wallet addresses by replacing copied values with attacker-controlled ones. Additionally, the malware captures screenshots and exfiltrates them via Tor. The C2 can also send EVAL responses to execute arbitrary code on the infected machine.

For persistence, the worm component creates two scheduled tasks: one for spreading to USB drives and another for the stealer activity. The malware employs multi-layered obfuscation, with all components encrypted and decrypted at runtime. It also includes an anti-analysis check that terminates execution if Task Manager is detected.

Microsoft Defender for Endpoint detects suspicious behaviors such as script interpreters spawning child processes, localhost:9050 proxy usage, and clipboard inspection. Microsoft Defender Antivirus detects the malware as Trojan:Win32/CryptoBandits.A. Users are advised to avoid using unknown USB drives and to keep security software updated.