Microsoft Uncovers Windows Clipper Malware Using USB LNK Worm and Tor C2

Microsoft's Defender Security Research Team has disclosed details of a sophisticated Windows-based cryptocurrency clipper campaign that has been active since February 2026. The malware combines a USB-propagating LNK worm with a Tor-routed command-and-control (C2) infrastructure, enabling both financial theft and covert remote access. According to Microsoft, the clipper "relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 server," allowing attackers to blend high-frequency clipboard theft with screenshot exfiltration and lightweight backdoor capabilities in a single payload.

The campaign begins with a malicious Windows Shortcut (LNK) file distributed via USB storage devices. When launched, the LNK scans the USB drive for common document types such as DOC, XLSX, and PDF, hides the original files, and replaces them with weaponized shortcuts that point to the worm component. The worm first checks whether the host is already infected and only proceeds to fetch the payload from a remote server if it isn't, minimizing redundant infections. To maintain persistence, both the worm and stealer components are registered as scheduled tasks, ensuring the malware survives reboots and user logoffs. IT teams investigating suspicious endpoint behavior can run a port scanner to detect unexpected SOCKS5 proxy activity that often indicates a compromised host running a hidden Tor client.

The clipper module uses WScript and ActiveXObject to interact with Windows, deliberately exiting if Task Manager is running to evade casual detection. It launches a renamed Tor binary in a hidden window, generates a unique victim identifier, and registers it with the external C2 server over a .onion hidden service. Once registered, the malware enters a continuous loop: polling the C2 approximately every 500 milliseconds for new instructions while simultaneously monitoring the clipboard for cryptocurrency seed phrases, private keys, and wallet addresses. If the C2 returns an EVAL response, the attackers can execute arbitrary code on the victim machine, effectively transforming a financially motivated stealer into a remote-access backdoor. Security teams analyzing anomalous outbound traffic can use a VPN/proxy detector or DNS leak test to identify unauthorized anonymized tunnels originating from corporate endpoints.

The campaign represents a notable evolution in commodity stealer malware, as it does not depend on traditional installers or exposed IP-based C2 infrastructure. Stolen artifacts—including substituted wallet addresses, private keys, and host screenshots—are exfiltrated exclusively through Tor, complicating network-level attribution and takedown efforts. Microsoft recommends disabling autorun features on removable media, auditing scheduled tasks for unknown entries, and alerting on unexpected WScript or Tor process executions. Users who suspect their credentials or seed phrases may have been exposed should rotate wallet keys immediately and verify the integrity of any device that has recently accepted unfamiliar USB media.