Microsoft Threat Intelligence has published a detailed technical analysis of an active cryptocurrency clipboard-hijacking campaign that has been targeting Windows users since at least February 2026. The campaign deploys clipboard-intercepting malware capable of self-spreading through USB drives using malicious LNK (Windows shortcut) files, and routes all command-and-control (C2) traffic through the Tor anonymity network to evade detection and attribution.
How the Clipper Malware Works
Clipboard hijackers — or "clippers" — are a class of malware that monitors the Windows clipboard for cryptocurrency wallet addresses. When a victim copies a wallet address to paste into a transaction, the malware silently replaces it with an attacker-controlled address. The victim completes the transaction without noticing, sending funds directly to the threat actor.
The malware in this campaign extends that baseline technique with several notable capabilities:
- USB LNK worm propagation: The malware drops malicious LNK files onto connected USB drives. When the USB is inserted into another Windows machine and the shortcut is opened, the infection spreads automatically without requiring any additional user action beyond the initial click.
- Tor-based C2 communication: All outbound communication from infected hosts routes through the Tor network, making it significantly harder for network defenders and law enforcement to identify, block, or trace the C2 infrastructure.
- Multi-currency targeting: The clipper monitors clipboard content for wallet address patterns from multiple major cryptocurrencies including Bitcoin, Ethereum, Solana, and several others.
- Persistence mechanism: The malware establishes persistence via scheduled tasks and registry run keys to survive reboots.
Infection Chain
The initial infection vector identified by Microsoft involves malware distributed through trojanized software downloads and phishing emails. Once installed, the clipper performs an initial beacon to its Tor-hosted C2 to register the new victim and receive configuration updates including the wallet addresses to swap in.
The LNK worm component then enumerates any connected removable drives and drops copies of the malware disguised as legitimate-looking shortcut files, often mimicking common application names or drive management tools.
Scale and Impact
Microsoft reports the campaign has resulted in cryptocurrency losses across multiple countries, with the majority of identified victims concentrated in Europe, North America, and South Asia. While individual transaction losses vary, the aggregate across thousands of infections can be substantial — clipper campaigns have historically generated millions in illicit proceeds before detection.
Detection and Mitigation
Microsoft has shared the following guidance for defenders:
- Monitor clipboard access APIs: Use endpoint detection and response (EDR) tools to alert on unexpected processes accessing the clipboard at high frequency.
- Block autorun from removable media: Disable Windows AutoPlay/AutoRun features and enforce policies preventing LNK execution from removable drives via Group Policy.
- Tor traffic blocking: Deploy network-level controls to block connections to Tor exit nodes and known Tor bridge IPs at perimeter firewalls.
- Educate users on transaction verification: Train users to always manually verify wallet addresses character-by-character rather than relying on copy-paste for cryptocurrency transactions.
Microsoft Defender now detects components of this campaign under the threat family Trojan:Win32/ClipBanker variants. Organizations should ensure definitions are current and that real-time protection is enabled.
YARA and IOCs
Microsoft has shared indicator sets including file hashes, scheduled task names, and Tor hidden service addresses associated with the campaign's C2 infrastructure through its threat intelligence portal. Security teams should ingest these indicators into their SIEM and threat intelligence platforms immediately.
The combination of self-spreading USB capability and Tor-based C2 marks this campaign as more operationally sophisticated than typical clipper variants, suggesting a well-resourced threat actor with intent to sustain the operation long-term.