Microsoft discovers new lightweight backdoor that steals cryptocurrency

Microsoft announced on Thursday the discovery of a new self-propagating malware, dubbed Crypto Clipper, that targets cryptocurrency credentials via USB drives. This worm monitors device clipboards for wallet addresses or seed phrases, and upon detection, it captures five screenshots within a 10-second interval. Both the stolen credentials and the screenshots are transmitted to attacker-controlled servers using the Tor network for anonymous routing, employing a SOCKS5 proxy to establish the connection. Microsoft highlighted that Crypto Clipper's execution is noteworthy because it bypasses traditional installers and exposed IP-based command-and-control (C2) infrastructure. Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and combines data theft with remote code execution, effectively transforming a financially motivated stealer into a lightweight backdoor. This sophisticated approach allows for covert data exfiltration and potential further compromise without relying on conventional network vulnerabilities.