Microsoft has just announced the discovery of a new cyberattack campaign targeting Windows users using a cryptocurrency clipper malware that has been active since February 2026. According to the Microsoft Threat Intelligence and Microsoft Defender Experts teams, this is one of the most sophisticated clipper variants recorded recently, as it not only steals crypto wallet addresses but also has the ability to collect Seed Phrase, private keys, take screenshots, and execute remote code on the hacker's command.
Unlike many traditional malware campaigns that use publicly accessible command-line (C2) servers or easily detectable installers, this malware leverages the Tor network to conceal its entire command and control infrastructure. This makes Traceability of the attack significantly more difficult for security experts.
According to Microsoft's analysis, the campaign begins with malicious shortcut files with the ".lnk" extension. When users inadvertently open these files, their devices are infected with two different components. The first component acts as a type of computer worm, self-replicating and spreading throughout the system. The second component is a clipper and stealer, responsible for stealing cryptocurrency-related data.
After successfully infiltrating the system, the worm scans legitimate files on the computer and creates fake shortcuts to continue spreading malware. Simultaneously, it deploys additional payloads and attempts to exclude them from Microsoft Defender scans to prolong its lifespan. The malware also creates scheduled tasks to ensure it restarts automatically after each shutdown or login.
The most notable aspect lies in the clipper's operating mechanism. Instead of using traditional executable programs, this malware is built primarily on Windows Script Host combined with ActiveXObject to interact directly with the operating system. The use of built-in Windows tools significantly reduces its unusual behavior and allows it to easily bypass several basic security measures.
Before starting its operation, the malware will scan the environment to detect analytical tools. If it detects Task Manager running, the malware will automatically stop to avoid being tracked by security researchers. If no threat is detected, it will launch a rebranded version of Tor called “ugate.exe” in stealth mode.
After about a minute for Tor to complete its connection to the anonymity network, the malware generates a unique identifier for the victim and registers the infected device with a command and control server located on Tor's hidden service. From that moment, the victim's computer becomes a node remotely controlled by the attacker.
Microsoft stated that the malware continuously monitors the clipboard at a frequency of approximately twice per second. Any data copied to the clipboard is subject to scrutiny. Specifically, the malware is programmed to search for chain resembling Seed Phrase, private keys, or cryptocurrency wallet addresses.
When clippers detect that a user has copied their wallet address to conduct a transaction, they will silently replace it with a wallet address controlled by the hacker. This attack method has caused tens of millions of dollars in losses to the cryptocurrency community over the years. If users do not carefully check the receiving address before confirming the transaction, the entire amount of money can be transferred directly to the attacker's wallet.
In addition to stealing wallet data, malware can also periodically take screenshots and send the images to a command and control server via the Tor network. This allows hackers to collect additional login information, transaction details, or other sensitive data displayed on the victim's screen.
More dangerously, Microsoft discovered that the malware supports remote code execution. If the command and control server sends back a specific command, the malware can download and run new code directly on the infected device. This means the attack is not limited to stealing cryptocurrency but could also pave the way for other types of malware such as ransomware, banking Trojans, or spyware.
Security experts consider this a significant shift in attack trends targeting crypto users. Instead of focusing solely on stealing wallet addresses like traditional clippers, these new campaigns are increasingly incorporating various techniques to turn victims' computers into complete backdoors.
In 2025 and the first half of 2026, the number of attacks involving Seed Phrase, cryptocurrency wallets, and malware increased dramatically globally. Numerous security reports indicate that hackers are increasingly leveraging legitimate tools available on Windows, PowerShell, and anonymity networks like Tor to conceal their activities. This trend makes traditional signature-based malware detection less effective, forcing businesses to shift to advanced behavioral monitoring solutions.
Microsoft stated that Microsoft Defender for Endpoint can now identify many components of this campaign through alerts related to suspicious JavaScript processes, data theft activity using Curl, and other unusual behaviors. Meanwhile, Microsoft Defender Antivirus detects this malware variant under the name Trojan:Win32/CryptoBandits.A.
Experts recommend that cryptocurrency users carefully check wallet addresses before sending assets, avoid opening shortcut files from unknown sources, regularly update their operating systems, and use security solutions that monitor behavior instead of relying solely on traditional virus scanning. For those holding large amounts of digital assets, using hardware wallets and manually verifying the receiving address before each transaction remains one of the most effective defenses against increasingly sophisticated clipper attacks.
