Tor-Based Clipper Malware Targets Wallet Seed Phrases

USB .lnk malware steals crypto via clipboard hijack, replaces wallet addresses, steals seed phrases, and screenshots.

Microsoft Threat Intelligence has been tracking a clipboard-stealing malware (Clipper) campaign since February 2026 that targets cryptocurrency wallets. A clipper is a type of malicious software that monitors and manipulates your clipboard, the temporary memory where data is stored when you copy and paste.

It spreads through malicious shortcut files on USB drives, hides its command server inside the Tor network, and can replace wallet addresses in your clipboard before you paste them. The attacker collects the crypto; you collect the confusion.

What makes it harder to spot is that this clipper doesn’t use a traditional installer or expose any real IP addresses. It ships with its own Tor client, routes traffic through a local proxy on port 9050, and resolves everything to .onion domains inside Tor.

“The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 server. It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution.” reads the report published by Microsoft. “The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure. Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor.”

The attack chain starts when someone opens a .lnk shortcut file from a USB drive. The malware then scans the device for document files like .doc, .xlsx, and .pdf, hides the originals, and replaces them with malicious shortcuts carrying the same names. Open what you think is a spreadsheet and you’re running malware. It also sets up scheduled tasks to copy itself onto any new USB drive that gets plugged in.

Malware steals crypto data from clipboard by capturing BIP39 seed phrases and private keys, exfiltrates via Tor, and sends screenshots for context.

“The malware detects 12 or 24-word BIP39 seed phrases in clipboard data. It saves the seed to local file (GOOD path) as a backup and exfiltrates it to the C2 domain via Tor.” states the report. “It retries network transmission until it is acknowledged and deletes local backup after successful transmission.”

Beyond seed phrases, it also grabs Ethereum and Bitcoin WIF private keys, and checks the clipboard every 500 milliseconds for wallet addresses across Bitcoin, Ethereum, Tron, and Monero. When it finds one, it swaps it out for an attacker-controlled address that partially resembles the original, so a quick glance won’t catch the swap.

The stealer also takes five screenshots every ten seconds and sends them over Tor, giving the attacker a live view of what the victim is doing with their wallet. There’s also a remote code execution channel: the C2 can send an EVAL instruction, the malware downloads JavaScript into a file called “cfile,” and runs it. That turns what looks like a simple crypto thief into something with full backdoor potential.

Microsoft researchers highlight that all the malware components are encrypted and only decrypted at runtime, wrapped in PyArmor-obfuscated Python and packaged with PyInstaller. The JavaScript payloads get two layers of obfuscation on top of that. It also checks for Task Manager before doing anything, and exits if it’s running.

“For defenders, the strongest signals are behavioral: script interpreters spawning suspicious child processes, localhost:9050 proxy usage, screen-capture commands in PowerShell, and signs of clipboard inspection or crypto-address replacement.” Microsoft continues.

Microsoft Defender for Endpoint detects components of this threat and flags it as Trojan:Win32/CryptoBandits.A. If you’re handling any sensitive financial workflows, monitoring wscript.exe and cscript.exe activity and blocking .lnk execution from removable drives via Group Policy are the right places to start.

“This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking.” concludes the report. “The combination of Tor-routed C2, clipboard targeting, screenshot capture, and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, clipper)