Microsoft's Defender Security Research Team has published an in-depth analysis of a cryptocurrency clipper campaign active since February 2026, revealing a technically sophisticated operation that chains USB-based propagation with anonymised command-and-control infrastructure built on Tor hidden services.
How the Attack Works
The campaign targets Windows users with the goal of intercepting and replacing cryptocurrency wallet addresses copied to the clipboard — a technique commonly known as "clipping." When a victim copies a wallet address to send funds, the malware silently performs an in-memory substitution, swapping in the attacker's address and redirecting transactions without the user's knowledge.
What distinguishes this particular operation is its three-layered evasion strategy. The malware spreads initially through specially crafted Windows shortcut files (LNK files) planted on USB drives. When a user inserts an infected device and opens the shortcut, the attack chain is triggered without requiring any download from the internet.
Technical Architecture
According to Microsoft's analysis, the clipper leverages Windows Script Host (WSH) and ActiveX-driven execution logic — legitimate Windows components that many security tools treat with less suspicion than standalone executables. This "living-off-the-land" approach means the malware operates within trusted system processes, making detection by signature-based tools significantly harder.
Once active, the malware launches a bundled Tor proxy to establish communication with a hidden-service command-and-control server. This design choice carries substantial operational advantages for the attackers: by routing all C2 traffic through Tor, the campaign's infrastructure becomes extremely difficult to trace, block, or dismantle through conventional law enforcement actions. The hidden service obscures the actual server location behind multiple layers of encryption and relay nodes.
The polling mechanism — where the malware periodically checks in with the C2 server — allows the attackers to update configuration, swap out target wallet addresses, and issue new commands without deploying additional payloads.
Why This Matters
The campaign illustrates a broader trend in the cybercriminal ecosystem: commodity malware is becoming increasingly modular and resilient. By combining social engineering via USB baiting, living-off-the-land techniques that abuse trusted Windows components, and privacy-preserving Tor infrastructure, the attackers are building systems that are challenging to disrupt operationally.
For cryptocurrency users, the clipper model is particularly insidious because it exploits a routine workflow habit — copying and pasting wallet addresses — that most users perform without a second thought. Unlike phishing or credential theft, there is no obvious moment of compromise; the substitution happens silently within system memory.
As cryptocurrency adoption grows, so too does the incentive for attackers to develop increasingly refined tools to intercept funds in transit.
Detection and Mitigation
Organisations and individuals can take several practical steps to reduce exposure to this type of threat:
- Disable autorun functionality on removable media to prevent automatic execution of LNK files.
- Restrict Windows Script Host execution where it is not required for business operations.
- Monitor for Tor proxy traffic on endpoints — connections to known Tor entry nodes can serve as a detection signal.
- Deploy endpoint detection and response (EDR) solutions that monitor clipboard access patterns and flag anomalous substitution behaviour.
Microsoft's disclosure serves as a reminder that even seemingly mundane actions like plugging in a USB drive or copying a string of text can become attack vectors when adversaries combine multiple layers of tradecraft into a single operation.
微軟 Defender 安全研究團隊發布了一份針對自 2026 年 2 月起活躍的加密貨幣剪貼簿攻擊行動的深度分析,揭示了一個技術層次複雜的操作,該操作將基於 USB 的傳播方式與建立在 Tor 隱藏服務上的匿名化命令與控制基礎設施結合在一起。
攻擊如何運作
此攻擊行動瞄準 Windows 用戶,旨在攔截並替換複製到剪貼簿的加密貨幣錢包地址——這是一種通常稱為「剪貼簿劫持」的技術。當受害者複製錢包地址以轉賬時,惡意軟件會在記憶體中靜默執行替換,將攻擊者的地址換入,並在用戶不知情的情況下重定向交易。
此特定操作的與眾之處在於其三層規避策略。惡意軟件最初通過特別製作的 Windows 捷徑檔案(LNK 檔案)傳播,這些檔案被放置在 USB 驅動器上。當用戶插入受感染的設備並打開捷徑時,攻擊鏈即被觸發,無需從互聯網下載任何內容。
技術架構
根據微軟的分析,該剪貼簿惡意軟件利用了 Windows Script Host (WSH) 和 ActiveX 驅動的執行邏輯——這些是合法的 Windows 元件,許多安全工具對它們的懷疑程度低於獨立的可執行檔案。這種「就地取材」的方式意味著惡意軟件在受信任的系統程序內運作,使得基於特徵碼的工具偵測起來難度大增。
一旦啟動,惡意軟件會啟動一個捆綁的 Tor 代理,以與隱藏服務命令與控制伺服器建立通信。這一設計為攻擊者帶來了顯著的操作優勢:通過 Tor 路由所有 C2 流量,攻擊行動的基礎設施變得極難追踪、阻止或通過常規執法行動摧毀。隱藏服務將實際伺服器位置隱藏在多層加密和中繼節點之後。
輪詢機制——即惡意軟件定期與 C2 伺服器通訊——允許攻擊者更新配置、替換目標錢包地址,以及發出新指令,而無需部署額外的有效載荷。
為何這很重要
此攻擊行動展示了網絡犯罪生態系統中一個更廣泛的趨勢:商品化惡意軟件正變得越來越模組化和具有韌性。通過結合利用 USB 誘餌的社會工程學、濫用受信任 Windows 元件的就地取材技術,以及注重隱私的 Tor 基礎設施,攻擊者正在構建在操作層面難以瓦解的系統。
對於加密貨幣用戶而言,剪貼簿模型尤其陰險,因為它利用了一種常規的工作流習慣——複製和貼上錢包地址——這是大多數用戶不假思索就會執行的操作。與網絡釣魚或憑證盜竊不同,這裡沒有明顯的入侵時刻;替換是在系統記憶體中靜默發生的。
隨著加密貨幣採用率的增長,攻擊者開發更精密工具來攔截轉賬中資金的動機也在增加。
偵測與紓緩措施
企業和個人可以採取幾個實際步驟來降低遭受此類威脅的風險:
- 停用可移動媒體的自動運行功能,以防止 LNK 檔案自動執行。
- 限制 Windows Script Host 執行,尤其是在業務操作不需要的環境中。
- 監控端點上的 Tor 代理流量——連接到已知的 Tor 入口節點可以作為偵測信號。
- 部署端點偵測與回應 (EDR) 解決方案,這些方案可以監控剪貼簿存取模式並標記異常的替換行為。
微軟的披露提醒我們,即使是看似平常的操作,例如插入 USB 驅動器或複製一段文本,當對手將多層技術手段結合到單一操作中時,都可能成為攻擊向量。