A threat actor will benefit from combining cryptocurrency theft, covert communications, and remote access into a single malware framework in order to increase stealth and persistence. Microsoft has revealed the existence of a Windows-based clipper campaign active since February 2026. The clipper campaign uses a portable Tor client, Windows Script Host, and ActiveX components to communicate with a hidden command-and-control server.
Besides intercepting and replacing cryptocurrency wallet addresses, the malware also performs continuous clipboard monitoring, captures screenshots, exfiltrates stolen data, and executes remote commands.
A key characteristic of the operation is that it does not utilize traditional installer mechanisms or publicly exposed C2 servers and instead utilizes Tor-routed traffic as a means of concealing its activity and extends its capabilities to lightweight backdoor functions as well as financial theft.
USB-Borne Infection Chain Drives Initial Compromise
Upon further investigation, it was revealed that the operation is characterized by a multi-stage infection chain combining removable media propagation with credential and asset theft.
In Microsoft's opinion, the campaign originated through malicious Windows shortcut (.LNK) files distributed through USB storage devices, enabling the malware to spread without relying on online delivery mechanisms.
An infection after being executed deploys two components: a worm that propagates throughout additional removable drives, and a clipper module designed to obtain information about cryptocurrency seed phrases, private keys, and wallets.
Obfuscation and Persistence Mechanisms Enhance Stealth
As part of its propagation mechanism, the worm exploits the trust of users in familiar file formats. When it scans USB devices for commonly accessed document formats like Microsoft Word, Excel, and PDF, it conceals the original filenames and replaces them with malicious shortcuts named identically.
In addition to increasing user interaction, this strategy masks the infection process by enabling additional payloads to be unpacked into randomly generated directories within the Public Documents path upon execution, and thereafter persistence can be established by scheduling tasks. In order to minimize the possibility of detection, the malware attempts to modify local defenses by creating antivirus exclusions for its staging locations and executable components in order to avoid detection.
According to Microsoft, extensive efforts have been made to obstruct the process of forensic analysis, such as packaging the installer with PyInstaller and obfuscation with PyArmor, and using JavaScript-based modules with layered encryption as well as runtime decryption.
This malware performs an anti-analysis check by searching for Windows Task Manager processes and terminating execution if monitoring is detected, underscoring the operator's emphasis on long-term stealth and evasion.
Tor-Based Communications Power Clipboard Hijacking Operations
Upon clearing the anti-analysis checks and activating the stealer module, the malware enters into a highly automated surveillance phase designed to detect and intercept cryptocurrency-related activity in near real-time. Microsoft observed that a Tor executable named ugate.exe is used by the component to communicate with its hidden command and control infrastructure, enabling all traffic to be routed through anonymized channels as well.
Once the malware has been installed, it periodically checks the system clipboard for a specific set of highly valuable cryptocurrency artifacts, searching for these artifacts every 500 milliseconds. Among these include 12-word and 24-word recovery phrases for Bitcoin, Ethereum private keys, Bitcoin wallet import format keys (WIF), as well as wallet addresses for Tron and Monero in addition to Bitcoin legacy, P2SH, Bech32, and Taproot formats.
Upon detection of an identical entry, the malware silently replaces it with the address of an attacker's wallet.
By carefully selecting substituted addresses to share similar leading characters or numeric patterns with the original destination, the likelihood of detection during visual verification is reduced.
During the final stage of the infection, the malware emphasizes the importance of operating concealment and attacker control.
By launching a renamed Tor executable in the background, the malware is able to identify the compromised host and register it with an external infrastructure without exposing direct network communications to the outside world.
Upon enrollment, the infected system begins a continuous operational cycle, polling the command-and-control environment for instructions while simultaneously inspecting the clipboard contents at approximately half-second intervals to identify cryptocurrency seed phrases, private keys, and wallets.
Also, command responses containing the EVAL directive enable the operators to execute attacker-supplied code in real-time, allowing them to expand functionality or take subsequent actions after a compromise.
The mixture of scripting abuse, removable media propagation, and Tor-based communications indicates Microsoft's recommendation that behavioral detection strategies should be prioritized. These strategies include monitoring PowerShell-driven screen capture activity, suspicious use of WScript and CScript, and script-engine processes spawning unexpected executables, including curl, cmd.exe, PowerShell, or other unexpected executables.
Besides disabling AutoRun and AutoPlay for removable media, Group Policy controls can also be used to restrict the execution of LNK from USB devices, limiting unnecessary access to scripting engines, and monitoring clipboard monitoring and screen capture behavior on systems involving cryptocurrency or other sensitive financial transactions closely.
Remote Code Execution Expands Malware Capabilities
Researchers discovered that the campaign's data collection capabilities go beyond clipboard manipulation. A number of screenshots were taken and transferred to the command-and-control server through the native curl utility, providing operators with continuous insight into the activity of the victims.
Furthermore, it integrates remote code execution functionality, thereby extending the framework's operational scope beyond a conventional cryptocurrency clipper. By using the EVAL command, operators can instruct the malware to retrieve additional JavaScript payloads, save them locally as cfile files, and execute them directly on the compromised host by instructing the malware to do so.
Essentially, this capability allows the infection to become an on-demand access platform that is capable of deploying new functionality after initial compromise. Because the malware is highly obfuscated and continuously evolving, Microsoft noted that behavioral indicators offer a more reliable detection opportunity than static signatures.
There are several indications that security teams should monitor suspicious activity associated with wscript.exe and cscript.exe, unexpected executions of curl, PowerShell, and cmd.exe, as well as anomalous child process chains.
Additionally, connections directed to localhost:9050 and other indications of Tor proxy usage may provide valuable indications that this campaign was compromised.
Microsoft's campaign illustrates how traditional malware techniques can be combined with anonymous infrastructure and scripting-based execution to create threats that are not only difficult to detect but also highly adaptable as cybercriminal operations continue to evolve.
In environments characterized by removable media and digital asset transactions, the findings underscore the importance of monitoring behavioral indicators in conjunction with conventional security controls. In order to identify attacks that prioritize stealth over scale, defenders must continue to have access to unusual script activity, Tor-related communications, and clipboard manipulation.
