Microsoft has disclosed details of a Windows-based cryptocurrency clipper campaign that has targeted users since February, deploying clipboard-intercepting malware with self-spreading capabilities through USB shortcut files. The clipper operates by intercepting cryptocurrency wallet addresses stored in the system clipboard and replacing them with attacker-controlled addresses before the user pastes the address into a wallet application or exchange platform, diverting transactions to the attacker’s wallet without the victim’s awareness.
Windows Clipper Clipboard Interception Mechanism
The malware intercepts cryptocurrency addresses as they appear in the Windows clipboard, monitoring for text paste operations that match cryptocurrency address patterns. When a user copies a wallet address and attempts to paste it into a transaction interface, the Clipper malware has already swapped the original address for one controlled by the attacker. The clipboard hijacking works because cryptocurrency addresses are long hexadecimal strings that appear visually identical to the user — a victim copying a Bitcoin or Ethereum address cannot distinguish the legitimate destination from the attacker address simply by inspection. This design makes the attack particularly effective because the transaction completes as if legitimate, with funds redirected to the attacker’s wallet before the victim realizes their coins were sent to the wrong address.
Tor Command-and-Control Infrastructure
The malware uses Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy, routing all command-and-control communications through the Tor anonymity network. This dual-purpose execution model means the clipper not only steals cryptocurrency addresses locally but also receives updated attacker wallet addresses through Tor-encrypted C2 channels, allowing threat actors to rotate destination wallets without changing the malware binary deployed on victim machines. The Tor C2 layer ensures that the attackers cannot be traced back to their actual network location through standard network forensics on the infected system, because all outbound communications appear as Tor traffic originating from the proxy tunnel rather than a direct connection to a command server.
USB LNK Worm Propagation Chain
The Clipper malware spreads beyond its initial infection target through USB-connected shortcut files that exploit Windows Shell link file execution. When an infected USB drive or removable storage device is connected to a victim machine, Windows automatically processes the .lnk shortcut files, which trigger the Clipper malware payload to execute and install itself on the new system without any user interaction or click-action. The .lnk file mechanism is particularly effective as a propagation vector because Windows shell automatically evaluates Windows Script Host content embedded in shortcut files, executing the clipper installer before a user even browses to view the USB drive contents.
Worm-Like Self-Duplication Through Removable Media
Once installed on a new machine, the malware duplicates itself into USB shortcut files on any attached removable storage devices, creating an infection chain that propagates from workstation to workstation through physical USB connections. This worm-like spread pattern means a single infected machine in an office environment can seed clipper malware across every workstation connected to shared USB drives, network-attached storage, or portable media, creating enterprise-wide infection cascades that traditional endpoint monitoring may not detect because the initial trigger is a legitimate Windows shortcut file rather than a traditionally malicious payload.
Timeline and Detection Challenges
The campaign has been active since February, establishing a prolonged operational window during which the Clipper malware silently collected cryptocurrency addresses from affected users before Microsoft’s disclosure. The prolonged activity suggests the threat actors operated without significant detection from endpoint protection tools, exploiting the unique nature of clipboard hijacking that does not trigger conventional malware signatures or behavioral alerts.
Anti-Detection Through Legitimate-Walking Malware Design
Clipboard interception does not match the behavioral patterns of traditional malware because the core action — monitoring clipboard content and performing text replacement — is indistinguishable from legitimate clipboard manager software that thousands of Windows applications use daily. The clipper’s dual nature as both cryptocurrency theft tool and filesystem propagator creates a detection gap because the clipboard manipulation looks like normal application behavior while the USB LNK propagation appears as legitimate Windows Shell file processing. Endpoint security teams should monitor for unexpected Windows Script Host execution patterns, unauthorized Tor client processes launched by user applications, and clipboard content that contains cryptocurrency addresses being read by non-wallet applications.
