Microsoft identifies Crypto Clipper worm propagating via USB .lnk files to exfiltrate wallet data over Tor

Microsoft Threat Intelligence observed Crypto Clipper deploying from infected USB drives without traditional installers or direct IP command-and-control. The malware checks for prior installation, then downloads its payload over Tor to avoid exposure. It renames .lnk files to mimic existing drive contents for concealment while establishing a local SOCKS5 proxy for anonymous routing.

Clipboard monitoring targets wallet address patterns and seed phrases common in hot wallet operations. Captured data plus timed screenshots route through redundant Tor nodes. This converts a standard stealer into a lightweight backdoor capable of remote code execution without persistent infrastructure.

Prior clipper families documented in 2023-2025 reports relied on exposed C2 servers vulnerable to takedowns. Crypto Clipper's Tor integration and USB vector reduce that surface. The approach aligns with observed shifts toward portable anonymity layers in financially motivated campaigns tracked by Microsoft and recorded in CVE-adjacent incident logs.

Operational risk centers on air-gapped or USB-mediated workflows common in cryptocurrency holdings. Detection requires behavioral monitoring of .lnk execution and clipboard access rather than signature matching. Endpoint logs showing Tor client drops or SOCKS5 proxies now serve as primary indicators.