Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2

Microsoft detailed a Windows-based cryptocurrency clipper campaign that has been active since February 2026. The malware utilizes a USB LNK worm to spread and employs a Tor-based command-and-control (C2) server for its operations. According to the Microsoft Defender Security Research Team, the clipper leverages Windows Script Host and ActiveX-driven logic to initiate a bundled Tor proxy. This proxy then communicates with a hidden-service C2 server to receive instructions and exfiltrate stolen data. The campaign's primary objective is to steal cryptocurrency by intercepting and replacing wallet addresses in users' clipboards. The analysis, published on Tuesday, indicates that the attackers have been actively targeting users for an extended period, demonstrating a persistent threat to cryptocurrency holders. The use of Tor for C2 communication makes the campaign more difficult to track and disrupt, as it anonymizes the server's location and traffic. This sophisticated approach highlights the evolving tactics employed by cybercriminals in the cryptocurrency space.