New Microsoft warning: clipper malware spreads via USB, hijacks clipboard addresses, uploads screenshots, and can execute remote commands over Tor.
Microsoft warned that a Windows-based crypto clipper campaign has been running since February 2026. The malware no longer just swaps wallet addresses. It spreads through USB drives, uses Tor for communication, and can turn infected machines into remote-controlled backdoors.
The attack starts with a malicious .lnk file, often delivered via USB storage. That file launches a worm that copies itself to removable drives and creates more shortcuts. Scheduled tasks keep the malware alive after a restart. Microsoft said the threat uses script-based tools rather than large installers, which makes file-based detection harder.
Once inside, the clipper checks the clipboard every 500 milliseconds. It looks for wallet addresses and seed phrases. Private keys are also scooped up. If it finds a wallet address, it replaces it with one controlled by the attacker. Seed phrases and private keys get exfiltrated through a Tor proxy.
The malware does more than swap addresses. It can upload screenshots and contact a hidden command server. It can also run attacker-supplied code through an EVAL command. That capability shifts the threat from a simple clipper to a backdoor. An attacker who gains a foothold can steal additional data, deploy ransomware, or pivot to other systems.
Microsoft advised defenders to hunt for correlated behaviors rather than isolate events. Specific signals include script engines launching curl, cmd.exe, or PowerShell, especially when paired with traffic on localhost:9050 – the Tor SOCKS5 proxy port.
Earlier this year, Microsoft warned about StilachiRAT, a similar threat that scanned browser wallets. Crypto.news also covered SparkCat, which used image scanning to find seed phrases in screenshots. The new campaign shows clipper malware growing more layered, combining spread, persistence, and remote control.
Microsoft stock (MSFT) fell 3.79% to $378.91 on the day of the warning, with an Alpha Score of 52 (Mixed). The broader tech selloff likely drove the move, not the security news itself.
For crypto users, clipboard verification alone does not stop this threat. Windows endpoints need updated signatures and behavior monitoring. Caution with USB devices is also critical. The campaign has been active since February 2026 and remains ongoing, Microsoft said.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.