Crypto Clipper uses Tor and worm-like propagation for persistence and control

Key Points:

• A new Windows-based cryptocurrency clipper malware has been identified, utilizing Tor for command and control and employing worm-like propagation techniques since February 2026.
• The malware impacts systems by stealing clipboard data, capturing screenshots, and substituting cryptocurrency wallet addresses, posing a significant risk to financial assets.
• Recommended actions include disabling AutoRun for removable media, blocking .lnk execution from USB drives, restricting script host usage, and monitoring for suspicious local SOCKS5 proxy activity.

Technical Details: This malware operates using a combination of Windows Script Host and ActiveX logic to deploy a Tor proxy for C2 communication. It employs obfuscation techniques to evade detection and utilizes clipboard theft targeting cryptocurrency wallet information.

MITRE ATT&CK Techniques:

• T1091 - Replication Through Removable Media (Initial Access)
• T1059 - Command and Scripting Interpreter (Execution)
• T1057 - Process Discovery (Discovery)
• T1053.005 - Scheduled Task/Job (Persistence)
• T1027 - Obfuscated Files or Information (Defense Evasion)
• T1115 - Clipboard Data (Collection)
• T1113 - Screen Capture (Collection)
• T1090 - Proxy (Command and Control)
• T1048.002 - Exfiltration Over Alternative Protocol (Exfiltration)

IOCs Mentioned:

• SHA-256 Hashes: 7630debd35cac6b7d58c4427695579b3e3a8b1cc462f523234cd6c698882a68c, a7abf1d9d6686af1cefcd60b17a312e7eb8cfe267def1ec34aeab6128c811630, cf9fc891ea5ca5ecd8113ef3e69f6f52ff538b6cccbdaa9559106fc72bc6da30
• Domains: <domain>.onion

This summary provides actionable intelligence for security analysts to mitigate risks associated with this emerging threat.