Ethical Hacking News
Tor-Based Clipper Malware Targets Wallet Seed Phrases and Steals Crypto via Clipboard Hijack. The attackers use the Tor network to remain anonymous and avoid detection, making it difficult for users to detect the malware.
Malware campaign "Clipper" targets cryptocurrency wallets, stealing seed phrases and private keys. The attackers use the Tor network to remain anonymous and avoid detection. The malware spreads through malicious shortcut files on USB drives and hides its command server inside the Tor network. The attackers collect cryptocurrency via clipboard hijack, replacing wallet addresses with attacker-controlled ones. The malware takes screenshots every ten seconds to send to the attacker, giving them a live view of the victim's wallet activity. Microsoft recommends monitoring wscript.exe and cscript.exe activity, blocking .lnk execution from removable drives, and keeping an eye out for suspicious script interpreters.
The world of cybersecurity is constantly evolving, with new threats emerging every day. Recently, a malicious malware campaign known as "Clipper" has been spotted, targeting cryptocurrency wallets and stealing sensitive information such as seed phrases and private keys. The attackers are using the Tor network to remain anonymous and avoid detection.
According to Microsoft Threat Intelligence, the Clipper malware spreads through malicious shortcut files on USB drives, hides its command server inside the Tor network, and can replace wallet addresses in the victim's clipboard before they paste them. This makes it difficult for users to detect the malware, as it does not use a traditional installer or expose any real IP addresses.
The attackers collect cryptocurrency via clipboard hijack, replacing wallet addresses with attacker-controlled ones that partially resemble the originals. The Clipper also takes five screenshots every ten seconds and sends them over Tor, giving the attacker a live view of what the victim is doing with their wallet. Additionally, the malware has remote code execution capabilities, allowing it to download JavaScript payloads and run them.
Microsoft researchers have identified several characteristics of the Clipper malware that make it difficult to detect. These include:
* The use of Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 server.
* The deployment of a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution.
* The encryption of malware components, which are only decrypted at runtime and wrapped in PyArmor-obfuscated Python and packaged with PyInstaller.
To detect and prevent the Clipper malware, Microsoft recommends monitoring wscript.exe and cscript.exe activity and blocking .lnk execution from removable drives via Group Policy. Users handling sensitive financial workflows should also keep an eye out for script interpreters spawning suspicious child processes, localhost:9050 proxy usage, screen-capture commands in PowerShell, and signs of clipboard inspection or crypto-address replacement.
The Clipper malware highlights the importance of staying vigilant in today's digital landscape. As cyber threats continue to evolve, it is crucial for individuals and organizations to stay informed and take proactive measures to protect themselves from emerging risks.
Related Information:
https://www.ethicalhackingnews.com/articles/Tor-Based-Clipper-Malware-Targets-Wallet-Seed-Phrases-and-Steals-Crypto-via-Clipboard-Hijack-ehn.shtml
https://securityaffairs.com/193860/uncategorized/tor-based-clipper-malware-targets-wallet-seed-phrases.html
Published: Thu Jun 18 15:22:23 2026 by llama3.2 3B Q4_K_M
