Ravie LakshmananJun 18, 2026Malware / Cryptocurrency
Microsoft has disclosed details of a Windows-based cryptocurrency clipper campaign that has targeted users since February 2026.
"The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 [command-and-control] server," the Microsoft Defender Security Research Team said in an analysis published Tuesday. "It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution."
"The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure. Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor."
Clipper malware refers to a type of malicious software that silently monitors a user's clipboard and intercepts sensitive data pasted into the short-term buffer. It primarily targets cryptocurrency transactions by substituting wallet address strings that match known blockchain address patterns to reroute them to addresses under their control.
