Essential Insights
- The campaign uses malicious Windows Shortcut (LNK) files via USB to infect systems, triggering malware that exfiltrates cryptocurrency wallet data and hijacks clipboard addresses.
- The malware employs a portable Tor proxy, high-frequency clipboard monitoring, and remote code execution to steal crypto assets and communicate with a hidden command-and-control server.
- Attackers evade detection by avoiding traditional installers, hiding threats from Task Manager, and dynamically executing attacker-supplied code, significantly increasing stealth and persistence.
Threat, Attack Techniques, and Targets
Microsoft reported a Windows-based cryptocurrency clipper campaign active since February 2026. The malware uses USB drives to distribute a malicious Windows Shortcut (LNK) file. When a user opens the shortcut, it triggers a worm component that checks if the device is already infected. If not, it downloads the malware payload from a remote server. The worm then propagates to other USB drives and creates scheduled tasks to maintain persistence.
The malware also includes a clipper that monitors the clipboard about every 500 milliseconds. It looks for cryptocurrency wallet addresses and replaces them with attacker-controlled addresses. The clipper can also exfiltrate screenshots and private keys. The malware hides its main activities by launching a hidden Tor proxy, routing traffic through a local SOCKS5 proxy, and using Windows Script Host (WScript) and ActiveXObjects to interact with the system.
Targets include users dealing with cryptocurrencies, especially those who handle financial transactions on their Windows devices. The attack relies on users opening infected shortcuts trusting their documents. It avoids traditional detection methods by not depending on IP-based command-and-control servers and instead routes traffic through the Tor network.
Impact, Security Implications, and Remediation Guidance
This malware campaign can lead to the theft of cryptocurrency through wallet address substitution and data exfiltration. Additionally, the malware’s use of Tor and its ability to blend with regular system processes make detection difficult. If successful, it can cause financial losses for users and expose sensitive data.
The use of the malware as a backdoor for remote code execution increases security risks. It can also spread to other devices via infected USB drives. Defensive measures should focus on behavioral detection, such as looking for unusual script activity and clipboard monitoring. Disabling AutoRun/AutoPlay and blocking LNK file execution from removable drives are recommended.
To reduce risk, organizations should review clipboard and screen-capture behaviors on machines with financial data. Experts advise obtaining detailed remediation guidance from Microsoft or relevant authorities, as specific steps may vary depending on the environment.
Discover More Technology Insights
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Access comprehensive resources on technology by visiting Wikipedia.
ThreatIntel-V1
