CryptoBandits Bundles Portable Tor Client for 500ms-Polled C2 in Windows Clipper Campaign

Infection begins with malicious .lnk files that drop a worm component for USB propagation and a script-based clipper. The clipper uses WScript and ActiveXObject calls to launch the Tor client, check for Task Manager as an anti-analysis measure, and register the victim with a hidden-service endpoint. Persistence is implemented via scheduled tasks; all payloads decrypt at runtime with multi-layer obfuscation on both the Python installer and JavaScript modules. Microsoft telemetry shows continuous 500-millisecond polling loops after initial registration, enabling remote code execution and screenshot exfiltration. The architecture deliberately routes DNS resolution through the local Tor instance to minimize external visibility of C2 domains. This matches patterns seen in prior script-delivered stealers that pair lightweight execution with anonymized channels. The campaign underscores an operational shift toward persistent backdoor functionality inside commodity clippers rather than one-shot theft. Official reporting correctly flags the Tor abuse and behavioral indicators yet understates the modular tasking potential once the hidden service is reached. Independent analysis of similar families shows rapid reuse of the same Tor-bundling technique across criminal and suspected state-adjacent tooling. Defenders should prioritize behavioral detection of local SOCKS proxy creation correlated with WScript activity and clipboard modification. Expect the same distribution vector and Tor component to appear in follow-on campaigns targeting additional wallet software within six months.