Crypto Clipper uses Tor and worm-like propagation for persistence and control
ID: fbefdb9f-1c5c-57c4-aa42-f73c52a56c61
STIX ID: report--fbefdb9f-1c5c-57c4-aa42-f73c52a56c61
Feed Name: Microsoft Security
Date Published: 2026-06-17
Date Updated: 2026-06-18
Author: Microsoft Defender Security Research Team and Microsoft Defender Experts
Microsoft Threat Intelligence describes a Windows-based crypto-clipper campaign that uses malicious .lnk shortcuts on removable media to deploy a script-based stealer and worm. The clipper monitors the clipboard for BIP39 seed phrases and private keys, performs wallet-address replacement, captures screenshots, and exfiltrates stolen data over a bundled Tor client (localhost:9050) to hidden-service C2s; it also supports remote EVAL-driven code execution and persistence via scheduled tasks. Defenders are advised to prioritize behavioral detections (scripting engines spawning suspicious child processes, localhost SOCKS5 use, clipboard inspection, and PowerShell screen-capture activity) and apply mitigations such as blocking .lnk execution from removable drives and restricting script hosts.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
