Crypto Clipper malware uses Tor and USB-based worm propagation for persistence
Windows-based cryptocurrency clipper active since February 2026 combines clipboard theft, wallet-address hijacking, and worm-like USB propagation via Tor-routed C2 communication.
Attack Brief
TargetWindows users; cryptocurrency wallet holdersVectorMalicious .lnk shortcut files distributed on USB storage devices; worm-based propagation to newly inserted USB devicesAttributionunattributed
Technical Details
MITRE ATT&CKT1005T1113T1115T1547.001T1547.005T1140T1036.004T1036.005T1564.001T1566.002T1566.004T1105T1036.003T1566.001T1053.005T1218.009T1218.011T1071.001T1090.003IoCslocalhost:9050ugate.exeC:\Users\Public\Documents\*Trojan: Win32/CryptoBandits.AAffectedWindows systems; active since February 2026
Impact
Confirmed DamageCryptocurrency wallet theft via clipboard hijacking; seed phrase and private key exfiltration; wallet-address substitution; screenshot exfiltration
Mitigation
DetectionMonitor for script interpreters (WScript, cscript) spawning suspicious child processes; detect localhost:9050 SOCKS5 proxy usage; hunt for screen-capture commands in PowerShell; identify clipboard inspection or crypto-address replacement patterns; Microsoft Defender for Endpoint detections: 'Suspicious JavaScript process', 'Possible data exfiltration using Curl'; Microsoft Defender Antivirus detection: Trojan: Win32/CryptoBandits.A