Crypto Clipper uses Tor and worm-like propagation for persistence and control
Essential information
- Published
- 18/06/2026 05:14
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- clipboard hijacking contebrew cryptobandits cryptocurrency clipper remote code execution screenshot exfiltration seed phrase stealing tor proxy usb worm wallet theft
- Related entities
- 26 indicators, 10 observables, 9 techniques (mitre), 2 malware
Description
A Windows-based cryptocurrency clipper has been actively targeting users since February 2026, employing sophisticated techniques to steal digital assets. The malware propagates through malicious shortcut files on USB devices, creating a worm-like infection chain. Once deployed, it utilizes Windows Script Host and ActiveX to launch a bundled Tor proxy client, enabling anonymous communication with hidden-service command and control servers. The clipper performs high-frequency clipboard monitoring to intercept cryptocurrency wallet addresses, seed phrases, and private keys, replacing them with attacker-controlled alternatives. Additionally, it captures screenshots for context and maintains persistent access through scheduled tasks. The threat demonstrates advanced capabilities including remote code execution, making it more than a simple stealer by functioning as a lightweight backdoor. The malware employs multiple defense evasion techniques including multi-layer obfuscation, anti-analysis checks, and local S...