In a recent disclosure, Microsoft revealed a sophisticated Windows-based malware campaign primarily targeting cryptocurrency users since early 2026. The campaign employs a clipper malware that leverages Windows Script Host and ActiveX to execute a Tor proxy and connect to a hidden command-and-control server.
Understanding the Clipper Malware
Clipper malware is designed to surreptitiously monitor clipboard activity to intercept sensitive data, particularly targeting cryptocurrency transactions. This malicious software modifies wallet address strings, redirecting funds to accounts controlled by attackers.
The mechanism of this attack involves distributing an infected Windows Shortcut (LNK) file via USB drives. Once opened, the file checks for previous infections and, if absent, downloads additional malicious payloads. This includes a clipper module that exfiltrates cryptocurrency wallet data.
Propagation and Evasion Techniques
The malware employs a worm component that scans USB devices for common file types, such as DOC, XLSX, and PDF. It conceals these files and replaces them with LNK files linked to the malicious worm. This ensures the malware spreads when users unknowingly open these files.
The worm also sets up scheduled tasks to maintain persistence across devices. The clipper malware uses WScript and ActiveXObject for system interactions, terminating its operations if it detects Task Manager running, thus avoiding detection.
Advanced Malware Features
Once installed, the malware launches a disguised Tor client, generating a unique identifier for the victim and logging it with an external server. It continuously polls the server for commands while monitoring the clipboard, targeting sensitive information like seed phrases and private keys.
Microsoft warns that the malware replaces copied wallet addresses with those controlled by attackers and can execute code provided by the command server if instructed. This capability allows it to adapt and execute new malicious actions.
Mitigation Strategies
To counter this threat, Microsoft advises prioritizing behavioral detection methods over static signatures. They recommend focusing on identifying PowerShell-based screen captures and unexpected script engine activity.
Preventative measures include disabling AutoRun and AutoPlay for removable media, blocking LNK file execution from such drives, and restricting the use of script engines like wscript.exe. Additionally, organizations should monitor clipboard and screen capture activities on systems handling financial data.
As cyber threats continue to evolve, staying informed and implementing robust security practices remain crucial for safeguarding sensitive information.
