Headline: Microsoft: crypto “clipper” now behaves like a backdoor—worming, exfiltrating and hiding traffic via Tor
Microsoft Threat Intelligence says a Windows-based crypto clipper campaign active since February 2026 has evolved into a more dangerous, multi‑purpose threat. Tracked as Trojan:Win32/CryptoBandits.A by Microsoft Defender Antivirus, the malware still performs the familiar clipboard-theft and wallet‑address replacement—but now also spreads like a worm, persists across reboots, hides communications over Tor, and can act as a lightweight backdoor.
How the attack works
- Initial infection: The campaign begins with malicious .lnk shortcut files that can arrive on systems via USB drives. When executed, these shortcuts launch a worm component that creates additional malicious shortcuts from legitimate files on the device to propagate.
- Persistence: The malware sets scheduled tasks so it survives reboots and keeps running, extending the attackers’ window to monitor and control infected machines.
- Lightweight tooling: Rather than a heavy installer, the threat relies on script-based tools and small utility components—making simple file-based detection more difficult.
Evasion and C2
- The clipper deploys a portable Tor client and routes traffic through a local SOCKS5 proxy (localhost:9050). Command-and-control uses .onion domains, reducing normal DNS visibility and complicating blocking and detection.
What it steals and does
- Clipboard monitoring: The malware checks the clipboard about every 500 milliseconds, hunting for wallet addresses, seed phrases and private keys. It will swap copied wallet addresses with attacker-controlled addresses; if it finds seed phrases or private keys it can exfiltrate them over Tor.
- Expanded capabilities: Beyond clipboard theft and address swapping, Microsoft found the malware can upload screenshots, contact hidden command servers, and accept EVAL commands that execute attacker-supplied code—effectively turning a simple stealer into a functional backdoor.
Detection guidance from Microsoft
Microsoft recommends defenders look for correlated behaviors rather than isolated events. Specific indicators to monitor include:
- Script engines launching curl, cmd.exe or PowerShell, or unusual child processes.
- Unexpected files being created from legitimate filenames (malicious shortcuts).
- Scheduled tasks tied to unusual scripts or binaries.
- Localhost:9050 traffic or connections to .onion domains.
Context in the wider threat landscape
This campaign follows a string of crypto-targeting malware developments. Microsoft’s advisory echoes earlier reports—StilachiRAT targeted wallets and clipboard activity, SparkCat used image scanning to find seed phrases in screenshots, and Binance has warned about clippers that replace copied wallet addresses. Microsoft’s new findings show that clippers are no longer just opportunistic address swappers: attackers are layering propagation, stealthy communications, credential exfiltration and remote code execution to maintain access and maximize financial gain.
Takeaway for crypto users and defenders
Clipboard-swapping remains a serious risk, but this campaign shows the stakes have increased: infected machines can be used to steal keys, capture screens, maintain persistence and accept remote commands. Teams should hunt for the behavioral indicators above, limit use of untrusted USB devices, and ensure endpoint protections look for these correlated behaviors and Tor‑based traffic patterns.
Read more AI-generated news on: undefined/news
