Microsoft warns of Windows Clipper malware spreading via USB drives
Microsoft has uncovered a Windows-based cryptocurrency Clipper malware campaign that has been active since February 2026. The threat uses a combination of Windows Script Host and ActiveX logic to deploy a bundled Tor proxy and communicate with a hidden-service command-and-control server.
A stealthy infection chain through removable media
The campaign spreads primarily through USB LNK worms, which trick users into clicking malicious shortcut files. Once executed, the Clipper malware replaces cryptocurrency wallet addresses copied to the clipboard with attacker-controlled addresses, silently diverting funds. Microsoft notes the use of legitimate Windows components like WScript and VBScript to maintain persistence and evade detection.
Tor-based infrastructure adds another layer of obscurity
Instead of connecting directly to a remote server, the malware relies on a bundled Tor proxy to reach its command-and-control infrastructure via a hidden service. This approach makes it harder for defenders to trace the traffic or block the server, as the communication is routed through the anonymity network. Microsoft’s analysis highlights how attackers are increasingly using Tor to obscure their operations and prolong campaigns.
What users and organizations can do
Microsoft recommends updating Windows systems and enabling Defender for Endpoint to detect and block such threats. Users should avoid opening unfamiliar USB drives or shortcut files, and verify wallet addresses before pasting them. Organizations may consider disabling Windows Script Host and ActiveX where appropriate, alongside deploying endpoint protection that monitors clipboard activity for unauthorized modifications.
Source: The Hacker News. AI-assisted editorial synthesis — TechnoExpress.