Story · arstechnica + bluesky + websearch · 10 events
Tor-Based Clipper Malware Targets Wallet Seed Phrases
USB .lnk malware steals crypto via clipboard hijack, replaces wallet addresses, steals seed phrases, and screenshots. Microsoft Threat Intelligen...
Tor-Based Clipper Malware Targets Wallet Seed Phrases
USB .lnk malware steals crypto via clipboard hijack, replaces wallet addresses, steals seed phrases, and screenshots. Microsoft Threat Intelligence has been tracking a clipboard-stealing malware (Clipper) campaign s…
#hackernews #microsoft #news
USB worm alert: Microsoft found malware that replaces your copied crypto wallet address with an attacker's — 2x/sec clipboard polling, no alert fired, Tor C2. BTC/Monero/Tron all targeted. Push Defend...
USB worm alert: Microsoft found malware that replaces your copied crypto wallet address with an attacker's — 2x/sec clipboard polling, no alert fired, Tor C2. BTC/Monero/Tron all targeted. Push Defender updates and stop trusting clipboard for address entry.
#CryptoSecurity #Blockchain #Malware
Microsoft discovers new lightweight backdoor that steals cryptocurrency
Microsoft discovers new lightweight backdoor that steals cryptocurrency
Crypto Clipper spreads over USB and communicates over Tor.
Tor-Based Clipper Malware Targets Wallet Seed Phrases - Security Affairs
Tor-Based Clipper Malware Targets Wallet Seed Phrases - Security Affairs
Microsoft Threat Intelligence has been tracking a clipboard-stealing malware (Clipper) campaign since February 2026 that targets cryptocurrency wallets. A clipper is a type of malicious software that monitors and manipulates your clipboard, the temporary memory where data is stored when you copy and paste.
It spreads through malicious shortcut files on USB drives, hides its command server inside the Tor network, and can replace wallet addresses in your clipboard before you paste them. The attacker collects the crypto; you collect the confusion.
What makes it harder to spot is that this clipper doesn’t use a traditional installer or expose any real IP addresses. It ships with its own Tor client, routes traffic through a local proxy on port 9050, and resolves everything to .onion domains inside Tor.
“The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 server. It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution.” reads the report published by Microsoft. “The execution …
Microsoft's Crypto Nightmare: New Tor-Powered Windows Clipper Malware ...
Microsoft's Crypto Nightmare: New Tor-Powered Windows Clipper Malware ...
Listen to this Post
🐢
▶️ Listen
🚀
Introduction: A New Generation of Cryptocurrency Theft Emerges
The cybercrime ecosystem has entered a dangerous new phase. Microsoft Threat Intelligence has uncovered a sophisticated Windows-based cryptocurrency clipper campaign that has been actively targeting users since February 2026. Unlike traditional malware that relies on obvious command-and-control servers or visible installation routines, this threat operates through hidden Tor infrastructure, stealthy scripts, and continuous clipboard surveillance.
What makes this malware particularly alarming is its ability to combine cryptocurrency theft, screenshot collection, remote code execution, and worm-like propagation into a lightweight package that can silently spread through USB devices. While many cryptocurrency-focused threats concentrate on stealing wallet files, this campaign attacks users at the exact moment they interact with their digital assets, making it exceptionally effective against both casual investors and experienced cryptocurrency holders.
Microsoft Defender identifies various components of this threat u…
Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2
Microsoft has disclosed details of a Windows-based cryptocurrency clipper campaign that has targeted users since...
Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2
Microsoft has disclosed details of a Windows-based cryptocurrency clipper campaign that has targeted users since February 2026.
"The clipper in this campaign relies on Windows Scrip…
#hackernews #microsoft #news
Microsoft discovers new lightweight backdoor that steals cryptocurrency ...
Microsoft discovers new lightweight backdoor that steals cryptocurrency ...
Text
settings
Story text
Size
Small
Standard
Large
Width
*
Standard
Wide
Links
Standard
Orange
* Subscribers only
Learn more
Minimize to nav
Microsoft says it has detected new self-propagating malware that spreads through USB drives in search of cryptocurrency credentials, which it then sends to attacker-controlled servers.
The company named the worm Crypto Clipper because it monitors the contents of device clipboards for patterns consistent with wallet addresses or seed phrases. When found, the malware also takes five screenshots over a 10-second period. Both the credentials and the screenshots are then sent to the attacker through Tor, a network protocol that provides anonymous routing by sending traffic through redundant nodes so logs can’t capture both the sending and receiving IP addresses. Crypto Clipper establishes the Tor connection by using a SOCKS5 proxy, a network protocol that sends traffic through a proxy server, which then forwards it to its final destination.
A lightweight backdoor
“The execution of this clipper is notable because it does not depend on a traditional installer or expo…
Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm ...
Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm ...
Microsoft has disclosed details of a Windows-based cryptocurrency clipper campaign that has targeted users since February 2026 with clipboard-intercepting malware with self-spreading capabilities and using the Tor anonymity network to hide communication.
"The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 [command-and-control] server," the Microsoft Defender Security Research Teamsaidin an analysis published Tuesday. "It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution."
"The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure. Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor."
Clipper malwarerefers to a type of malicious software that silently monitors a user's clipboard and intercepts sensitive data pasted into the short-term buffer…
USB worm spreads crypto-stealing malware via Windows shortcut files
Threat actors targeting cryptocurrency wallets have been distributing clipboard-stealing malware with self-spreading capabilities a...
USB worm spreads crypto-stealing malware via Windows shortcut files
Threat actors targeting cryptocurrency wallets have been distributing clipboard-stealing malware with self-spreading capabilities and using the Tor network to conceal communication. [...]
#hackernews #news
Microsoft warns of USB worm-like malware using Tor for stealth
Microsoft warns of USB worm-like malware using Tor for stealth
Microsoft warns of USB worm-like malware using Tor for stealth
June 18, 2026
By
Bill Mann
—
Leave a Comment
X
LinkedIn
Reddit
Facebook
Share
Microsoft has identified a cryptocurrency clipper malware campaign, active since February 2026, that combines USB-based propagation, a Tor-hidden command-and-control infrastructure, and remote code execution capabilities.
The malware steals cryptocurrency seed phrases and private keys while silently replacing wallet addresses copied to the clipboard with attacker-controlled alternatives.
Microsoft found that the threat goes beyond traditional crypto-clippers, functioning as both a cryptocurrency stealer and a lightweight backdoor. By bundling its own Tor client and communicating exclusively through hidden .onion services, the malware conceals its infrastructure while maintaining persistent access to infected devices.
Microsoft said
infections begin through malicious Windows shortcut (.lnk) files distributed on USB storage devices. Once executed, the malware installs two components: a worm that spreads to additional removable drives and a clipper module designed to harvest and exfi…
Corroboration
No verdict, no pronouncement. The model extracts atomic factual claims with verbatim quotes; every quote is validated against the source text and corroboration is computed by counting how many editorially-opposed blocs assert each fact. 5 fabricated/unverifiable quotes were rejected by the cite-or-die gate.
The spine · 10 facts corroborated across ≥2 opposed blocs
2×broadly confirmedThe malware spreads through malicious Windows shortcut (.lnk) files distributed on USB storage devices.
othertech
cyberinsider.com“infections begin through malicious Windows shortcut (.lnk) files distributed on USB storage devices.”
arstechnica“Crypto Clipper spreads over USB and communicates over Tor.”
1×broadly confirmedMicrosoft has detected a cryptocurrency clipper malware campaign active since February 2026.
other
securityaffairs.com“Microsoft Threat Intelligence has been tracking a clipboard-stealing malware (Clipper) campaign since February 2026 that targets cryptocurrency wallets.”
cyberinsider.com“Microsoft has identified a cryptocurrency clipper malware campaign, active since February 2026, that combines USB-based propagation, a Tor-hidden command-and-control infrastructure, and remote code execution capabilities.”
thehackernews.com“Microsoft has disclosed details of a Windows-based cryptocurrency clipper campaign that has targeted users since February 2026 with clipboard-intercepting malware with self-spreading capabilities and using the Tor anonymity network to hide communication.”
undercodenews.com“Microsoft Threat Intelligence has uncovered a sophisticated Windows-based cryptocurrency clipper campaign that has been actively targeting users since February 2026.”
1×broadly confirmedThe malware monitors and manipulates the clipboard to steal cryptocurrency wallet addresses and seed phrases.
other
arstechnica.com“The company named the worm Crypto Clipper because it monitors the contents of device clipboards for patterns consistent with wallet addresses or seed phrases.”
thehackernews.com“It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution.”
undercodenews.com“this campaign attacks users at the exact moment they interact with their digital assets”
1×broadly confirmedThe malware replaces copied wallet addresses with attacker-controlled alternatives.
other
securityaffairs.com“and can replace wallet addresses in your clipboard before you paste them.”
thehackernews.com“It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution.”
cyberinsider.com“The malware steals cryptocurrency seed phrases and private keys while silently replacing wallet addresses copied to the clipboard with attacker-controlled alternatives.”
1×broadly confirmedThe malware communicates with its command-and-control server through the Tor network using hidden .onion services.
other
arstechnica.com“Both the credentials and the screenshots are then sent to the attacker through Tor, a network protocol that provides anonymous routing by sending traffic through redundant nodes so logs can’t capture both the sending and receiving IP addresses.”
thehackernews.com“routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor.”
undercodenews.com“this threat operates through hidden Tor infrastructure”
1×broadly confirmedThe malware bundles its own Tor client and uses a local SOCKS5 proxy on port 9050 to route traffic.
other
securityaffairs.com“It ships with its own Tor client, routes traffic through a local proxy on port 9050, and resolves everything to .onion domains inside Tor.”
thehackernews.com“it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy”
1×broadly confirmedThe malware performs screenshot exfiltration.
other
thehackernews.com“It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution.”
undercodenews.com“this campaign attacks users at the exact moment they interact with their digital assets, making it exceptionally effective against both casual investors and experienced cryptocurrency holders. Microsoft Defender identifies various co”
1×broadly confirmedThe malware functions as a lightweight backdoor with remote code execution capabilities.
other
cyberinsider.com“Microsoft found that the threat goes beyond traditional crypto-clippers, functioning as both a cryptocurrency stealer and a lightweight backdoor.”
thehackernews.com“blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor.”
1×broadly confirmedThe malware does not depend on a traditional installer or exposed IP-based command-and-control infrastructure.
other
thehackernews.com“The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure.”
securityaffairs.com“What makes it harder to spot is that this clipper doesn’t use a traditional installer or expose any real IP addresses.”
1×broadly confirmedThe malware has self-propagating capabilities.
other
cyberinsider.com“The malware steals cryptocurrency seed phrases and private keys while silently replacing wallet addresses copied to the clipboard with attacker-controlled alternatives. Microsoft found that the threat goes beyond traditional crypto-clippers, functioning as both a cryptocurrency stealer and a lightweight backdoor. By bundling its own Tor client and communicating exclusively through hidden .onion services, the malware conceals its infrastructure while maintaining persistent access to infected devices. Microsoft said infections begin through malicious Windows shortcut (.lnk) files distributed on USB storage devices. Once executed, the malware installs two components: a worm that spreads to additional removable drives and a clipper”
thehackernews.com“Microsoft has disclosed details of a Windows-based cryptocurrency clipper campaign that has targeted users since February 2026 with clipboard-intercepting malware with self-spreading capabilities and using the Tor anonymity network to hide communication.”
Single-source · 2 — reported by one bloc only (uncorroborated)
The malware takes five screenshots over a 10-second period.
arstechnica.com
The malware uses Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 server.
securityaffairs.com
Framing · 3 — loaded language surfaced (spin shown, not adopted)
securityaffairs.com
“The attacker collects the crypto; you collect the confusion.”
→ The malware enables attackers to steal cryptocurrency, leaving victims unaware.
undercodenews.com
“The cybercrime ecosystem has entered a dangerous new phase.”
→ Microsoft describes the malware as part of a new development in cybercrime.
undercodenews.com
“making it exceptionally effective against both casual investors and experienced cryptocurrency holders.”
→ The malware is effective against a broad range of cryptocurrency users.