Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2

Microsoft researchers have disclosed a cryptocurrency clipper malware campaign targeting Windows users since February 2026. The threat uses a USB-based LNK worm to spread infection and employs Windows Script Host alongside ActiveX-driven logic to execute its payload.

The malware's architecture centers on launching a bundled Tor proxy that communicates with a hidden-service command-and-control server. This design provides attackers with anonymity while maintaining persistent communication with infected systems. Clipper malware intercepts cryptocurrency transactions by replacing wallet addresses in clipboard data, redirecting funds to attacker-controlled accounts.

The LNK worm component spreads through removable USB drives. When users insert infected USB devices into Windows systems, the shortcut files execute automatically or when clicked, initiating the infection chain. This distribution method exploits user trust in external storage devices and Windows' legacy support for LNK file execution.

The campaign demonstrates operators' focus on evading detection through legitimate Windows scripting capabilities rather than deploying traditional malware binaries. By leveraging built-in Windows components, the threat avoids signature-based detection at entry points.

Cryptocurrency users face direct financial risk. The clipper targets addresses in clipboard memory, affecting users who copy-paste wallet addresses during transactions. Attackers intercept these operations transparently, with victims often unaware of the address substitution until funds disappear.

Organizations should restrict USB autoplay functionality through Group Policy, disable Windows Script Host where unnecessary, and implement application whitelisting to prevent unauthorized script execution. Users should verify wallet addresses through secondary channels rather than relying solely on clipboard contents and maintain updated endpoint protection.

The Tor-based C2 architecture indicates operators prioritize operational security over aggressive monetization, suggesting potential for long-term campaign persistence. Microsoft Defender customers receive protection through existing threat intelligence, though independent verification of detections remains advisable given the malware's