Crypto Clipper Malware Uses Tor and USB Worm Spread

Introduction

Microsoft Threat Intelligence has published details on a Windows-based crypto clipper campaign active since February 2026. While crypto clippers are typically associated with wallet address replacement, this threat is more advanced: it uses Tor for hidden command-and-control, spreads through USB devices, and behaves like a lightweight backdoor.

For security teams, this is important because the malware avoids traditional installer patterns and IP-based infrastructure, making behavioral detection and endpoint visibility especially important.

What’s new

Tor-backed command and control

• The malware launches a bundled Tor client, renamed ugate.exe.
• It routes traffic through localhost:9050 using a local SOCKS5 proxy.
• C2 communication happens over .onion services, reducing DNS and destination visibility.

Worm-like USB propagation

• Initial access starts with malicious .lnk shortcut files distributed on USB storage.
• The malware hides legitimate files and replaces them with lookalike shortcut files.
• It creates scheduled tasks to continue spreading to newly inserted USB devices.

Clipper and stealer behavior

• The malware monitors the clipboard about every 500 milliseconds.
• It looks for wallet addresses, BIP39 seed phrases, and private keys.
• It can replace copied cryptocurrency wallet addresses with attacker-controlled values.
• It also captures and uploads screenshots for additional context.

Backdoor capability

• The malware polls its C2 for commands.
• An EVAL instruction allows attacker-supplied JScript code to run at runtime.
• This turns the clipper into a lightweight remote access tool, not just a financial stealer.

Why this matters for defenders

This campaign blends multiple techniques that can bypass simple signature-based controls. The use of Windows Script Host, ActiveX, scheduled tasks, Defender exclusions, and Tor makes it harder to spot through conventional indicators alone.

Microsoft says the strongest signals are behavioral, including:

• Script interpreters spawning unusual child processes
• Use of 127.0.0.1:9050 or localhost SOCKS5 activity
• PowerShell screen-capture behavior
• Clipboard inspection or crypto-address replacement patterns

Microsoft Defender for Endpoint detects related activity such as Suspicious JavaScript process and Possible data exfiltration using Curl. Microsoft Defender Antivirus detects the threat as Trojan:Win32/CryptoBandits.A.

Recommended next steps

• Block or tightly control execution of .lnk files from USB media.
• Monitor for WScript, curl, and Tor-related processes on endpoints.
• Review scheduled tasks and unusual files under C:\Users\Public\Documents.
• Investigate systems showing localhost:9050 traffic or hidden Tor usage.
• Ensure Microsoft Defender protections and endpoint detection rules are up to date.

Organizations with users handling cryptocurrency or seed phrases should treat this campaign as a high-priority risk due to its theft, persistence, and remote execution capabilities.