Microsoft disclosed details of an active Windows-based cryptocurrency clipper campaign on June 18, 2026, revealing malware that combines clipboard hijacking with USB-based self-spreading and Tor-hidden command-and-control communications — a combination that has allowed the campaign to propagate since February 2026 without widespread detection.
What the Malware Does
The clipper intercepts clipboard content on infected Windows systems and replaces cryptocurrency wallet addresses with attacker-controlled addresses before the user pastes them into a transaction. Cryptocurrency addresses are long hexadecimal strings that are visually indistinguishable at a glance, making substitution nearly impossible to notice during a normal transaction workflow.
When a victim copies a wallet address and pastes it to initiate a transfer, the malware has already silently replaced the destination with an address controlled by the attacker. The transaction completes — but to the wrong recipient.
USB-Based Self-Spreading
The malware achieves persistence and propagation through a Windows shortcut file (.lnk) that it places on connected USB storage devices. When an infected USB drive is connected to another Windows machine, the Windows Shell executes the shortcut file automatically, infecting the new host without any explicit user action beyond inserting the drive.
LNK Shortcut Files Executing via Windows Shell to Propagate the Clipper
This USB-based LNK propagation mirrors the spread mechanism used by Stuxnet-era malware, but applied to a financially motivated campaign targeting cryptocurrency users. The worm-like propagation model allows the malware to spread through shared drives, USB transfers between machines, and removable media used in office environments — including corporate environments where personal USB devices are routinely connected to workstations. Each newly infected machine becomes a propagation node that will silently write the LNK file to every USB device subsequently connected to it.
Tor-Hidden Command-and-Control
The malware uses Windows Script Host and ActiveX components to launch a bundled Tor proxy on infected systems. All command-and-control communications route through the Tor network, making traffic analysis and C2 infrastructure takedown significantly harder for defenders. There is no directly exposed IP address or domain to block, as the C2 endpoint exists only as a hidden service on the Tor network.
Windows Script Host and ActiveX Launching Bundled Tor Proxy for C2 Concealment
The use of Tor also makes it difficult for network-based detection tools to identify C2 traffic based on destination reputation, because all outbound Tor traffic appears as connections to known Tor relay nodes rather than identifiable malicious infrastructure. The choice to bundle a Tor proxy within the malware — rather than relying on the target machine having Tor installed — removes a dependency that would otherwise limit the infection’s reach and ensures consistent C2 connectivity regardless of the victim environment’s configuration.
Campaign Timeline
Microsoft attributes the active campaign to a period starting in February 2026, indicating that the malware has been in circulation for approximately four months. The four-month detection gap is consistent with the malware’s evasion design: clipboard interception is not a standard behavior that most security tools actively monitor, and Tor-based C2 traffic avoids reputation-based blocking.
Impact and Takeaway
Cryptocurrency users on Windows systems face an elevated threat from clipboard-based address substitution attacks, particularly in environments where USB drives are routinely shared between machines. Any user conducting cryptocurrency transfers should manually verify the destination wallet address character-by-character after pasting, rather than assuming the pasted string matches the copied source. Organizations with policies against personal cryptocurrency activity on corporate devices should enforce those controls, as infected USB drives brought in from personal use represent a propagation vector into corporate networks.
