A newly detailed malware campaign is leveraging weaponized USB drives to deploy clipboard-hijacking software that goes well beyond simple address swapping — actively harvesting cryptocurrency wallet seed phrases and capturing screenshots while routing all traffic through the Tor network to evade detection.
The campaign uses malicious .lnk shortcut files disguised as legitimate utilities found on removable USB media. When a victim plugs in an infected drive and executes the file, the malware silently installs itself and begins monitoring the system clipboard — the temporary memory buffer where copied data resides.
Beyond Simple Clipboard Swapping
While clipboard-hijacking malware, commonly known as "clippers," is not a new threat category, this particular campaign distinguishes itself through a significantly expanded toolkit. Rather than solely swapping cryptocurrency wallet addresses copied to the clipboard — redirecting funds to attacker-controlled wallets — the malware also actively harvests wallet seed phrases and captures desktop screenshots.
Seed phrase theft represents a particularly dangerous escalation. A seed phrase, typically a sequence of 12 or 24 words, serves as the master key to a cryptocurrency wallet. With this phrase in hand, an attacker can fully reconstruct and drain a victim's wallet without needing direct access to the original device.
The desktop screenshot capability adds another layer of intelligence gathering, potentially allowing the operators to observe wallet balances, transaction histories, and other sensitive on-screen data.
Tor Infrastructure Obscures Command-and-Control
The malware routes all communications through the Tor anonymity network, making it significantly more difficult for security researchers and law enforcement to identify the attackers' infrastructure. This design choice complicates network-based detection and takedown efforts, as the command-and-control servers are shielded behind multiple layers of encrypted relay nodes.
The deliberate use of Tor represents an effort to extend the operational lifespan of the campaign by frustrating attribution and resisting infrastructure-level disruption.
The Overlooked Trust Boundary
Security analysts note that this campaign highlights a frequently underestimated attack surface: the clipboard. Users routinely copy and paste wallet addresses without verifying that the pasted string matches the intended destination. A single character change in a long hexadecimal or alphanumeric wallet address is difficult to spot at a glance, and the malware exploits this habitual trust.
The USB infection vector also underscores a gap in many cryptocurrency security postures. While exchanges and DeFi platforms invest heavily in network-level defenses, endpoint security and physical media policies often receive less attention. An infected USB drive bypasses firewalls, email filters, and web proxies entirely — it simply requires an individual to plug it in.
Defensive Recommendations
The evolution of clipper malware from simple clipboard swaps to a multi-vector threat capable of seed-phrase exfiltration, screenshot capture, and covert Tor-based communication signals a clear maturation of cryptocurrency-targeting malware. Organizations and individual users dealing in digital assets should adopt a layered defense posture:
- Disable or restrict autorun functionality for removable media on all endpoints.
- Verify pasted wallet addresses character by character before confirming any transaction.
- Store seed phrases offline and never on internet-connected devices.
- Deploy endpoint detection tools that flag suspicious
.lnkfile behaviour and unexpected clipboard monitoring processes. - Monitor for anomalous Tor traffic originating from corporate or personal networks.
- Establish and enforce removable media policies that limit or inspect USB devices before use.
As cryptocurrency adoption continues to grow, the incentive for sophisticated malware campaigns targeting digital wallets shows no sign of diminishing. This latest clipper variant serves as a reminder that security must extend beyond the network perimeter to encompass every device and storage medium in the chain.
一項新近詳細披露的惡意軟件行動正利用經過武器化的 USB 隨身碟來部署剪貼板劫持軟件,其行為遠超簡單的地址替換——不僅主動竊取加密貨幣錢包助記詞和捕捉螢幕截圖,更將所有流量經由 Tor 網絡路由以規避偵測。
該行動使用偽裝成可移動 USB 媒體上常見合法工具的惡意 .lnk 快捷方式檔案。當受害者插入受感染的隨身碟並執行該檔案時,惡意軟件會在系統上靜默安裝自身,並開始監控系統剪貼板——即被複製資料所駐留的臨時記憶體緩衝區。
超越簡單的剪貼板替換
雖然剪貼板劫持惡意軟件(通常稱為「木馬」)並非新的威脅類別,但此次行動通過顯著擴展的工具包將自身區分開來。除了僅僅替換複製到剪貼板的加密貨幣錢包地址(將資金重定向至攻擊者控制的錢包)外,該惡意軟件還主動竊取錢包助記詞並捕捉桌面螢幕截圖。
竊取助記詞代表了一種特別危險的升級。助記詞通常由 12 或 24 個單詞組成,是加密貨幣錢包的主密鑰。擁有此助記詞,攻擊者無需直接訪問原始設備即可完全重建並掏空受害者的錢包。
桌面螢幕截圖功能增加了另一層情報收集能力,可能使操作者能夠觀察錢包餘額、交易歷史記錄及其他敏感的螢幕資料。
Tor 基礎架構模糊指揮控制
該惡意軟件通過 Tor 匿名網絡路由所有通訊,這使得安全研究人員和執法部門識別攻擊者基礎架構的難度大大增加。這一設計選擇使基於網絡的偵測和搗毀工作變得複雜,因為指揮控制伺服器被隱藏在多層加密中繼節點之後。
刻意使用 Tor 代表了一種通過阻礙歸因並抵禦基礎架構層級的破壞,來延長行動運作壽命的策略。
被忽視的信任邊界
安全分析師指出,此次行動凸顯了一個經常被低估的攻擊面:剪貼板。用戶經常在未驗證貼上字串是否與預期目的地匹配的情況下複製和貼上錢包地址。在一個較長的十六進位或字母數字錢包地址中,單個字元的更改很難一眼看出,而該惡意軟件正是利用了這種習慣性信任。
USB 感染媒介也突顯了許多加密貨幣安全態勢中的一個缺口。雖然交易所和 DeFi 平台在網路層級防禦上投入巨大,但端點安全和實體媒介政策往往受到較少關注。一個受感染的 USB 隨身碟可以完全繞過防火牆、電郵過濾器和網頁代理——它只需要一個人將其插入即可。
防禦建議
剪貼板木馬惡意軟件的演進,從簡單的剪貼板替換發展到能夠進行助記詞竊取、螢幕截圖捕捉和基於 Tor 的隱蔽通訊的多向量威脅,這標誌著針對加密貨幣的惡意軟件明顯成熟化。處理數位資產的組織和個人用戶應採取分層防禦態勢:
- 在所有端點上停用或限制可移動媒體的自動執行功能。
- 在確認任何交易前,逐字元驗證貼上的錢包地址。
- 將助記詞離線儲存,切勿存放在連接互聯網的設備上。
- 部署端點偵測工具,以標記可疑的
.lnk檔案行為和異常的剪貼板監控程序。 - 監控源自企業或個人網絡的異常 Tor 流量。
- 制定並執行可移動媒體政策,限制或檢查 USB 裝置後才使用。
隨著加密貨幣採用率持續增長,針對數位錢包的複雜惡意軟件行動的動機並無減弱跡象。此最新剪貼板木馬變種提醒我們,安全必須超越網絡邊界,涵蓋鏈條中的每個設備和儲存媒介。