{
  "name": "Crypto Clipper uses Tor and worm-like propagation for persistence and control",
  "slug": "crypto-clipper-uses-tor-and-worm-like-propagation-for-persistence-and-control",
  "description": "A Windows-based cryptocurrency clipper has been actively targeting users since February 2026, employing sophisticated techniques to steal digital assets. The malware propagates through malicious shortcut files on USB devices, creating a worm-like infection chain. Once deployed, it utilizes Windows Script Host and ActiveX to launch a bundled Tor proxy client, enabling anonymous communication with hidden-service command and control servers. The clipper performs high-frequency clipboard monitoring to intercept cryptocurrency wallet addresses, seed phrases, and private keys, replacing them with attacker-controlled alternatives. Additionally, it captures screenshots for context and maintains persistent access through scheduled tasks. The threat demonstrates advanced capabilities including remote code execution, making it more than a simple stealer by functioning as a lightweight backdoor. The malware employs multiple defense evasion techniques including multi-layer obfuscation, anti-analysis checks, and local S...",
  "published": "2026-06-18T03:14:19.500000+00:00",
  "created_at": "2026-06-18T14:33:30.583000+00:00",
  "modified_at": null,
  "created_at_opencti": "2026-06-18T14:33:30.583000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "clipboard hijacking",
    "contebrew",
    "cryptobandits",
    "cryptocurrency clipper",
    "remote code execution",
    "screenshot exfiltration",
    "seed phrase stealing",
    "tor proxy",
    "usb worm",
    "wallet theft"
  ],
  "tags": [],
  "related_entities": {
    "indicators": [
      {
        "id": "fa258ce4-7461-4ba1-bc37-862ba1aaf38f",
        "name": "cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion"
      },
      {
        "id": "44bdb773-5540-4240-8562-4c78ba4bf0c2",
        "name": "23c1e673f315dafa14b73034a90dd3d393a984451ff6601b8be8142be6487b43"
      },
      {
        "id": "1c779f40-2d27-4db2-9ff7-2696ace1288f",
        "name": "ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion"
      },
      {
        "id": "54b52de0-5019-45b1-b690-b0006e20d1c0",
        "name": "he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad.onion"
      },
      {
        "id": "fd016e87-0caa-4326-b3df-49b8cec0d7e4",
        "name": "f3b54984caca95fd496bcfe5d7db1611b08d2f5b7d250b43b430e5d76393f9e0"
      },
      {
        "id": "c7812f73-3ff0-4ecd-9e88-3d575802c35d",
        "name": "d14b80cbd1a19d4ad0473a0661297f8fdf598e81ff6c4ab24e212dcad2e54b3f"
      },
      {
        "id": "b5408c84-5742-44d4-9faf-4b6c4e0c3c7e",
        "name": "c824630154ac4fdfce94ded01f037c305eab51e9bef3f493c60ff3184a640502"
      },
      {
        "id": "028c8d97-008b-4d7a-aed0-fb22112b0242",
        "name": "100407796028bf3649752d9d2a67a0e4394d752eb8de86daa42920e814f3fae8"
      },
      {
        "id": "adec6cbc-046a-4ea8-b8b8-66b76c9b73df",
        "name": "d43bf94f0cb0ab97c88113b7e07d1a4024d1610617b5ad05882b1dbab89e15ba"
      },
      {
        "id": "db749f5c-fbbb-4938-b6eb-9e4d067a320c",
        "name": "gfoqsewps57xcyxoedle2gd53o6jne6y5nq5eh25muksqwzutzq7b3ad.onion"
      },
      {
        "id": "458cd371-d391-4254-9c2e-8e34f08ed9f8",
        "name": "9d90f54ae36c6c5435d5b8bed40faf54cc91f6db28574a6310b5ffaeb0362e96"
      },
      {
        "id": "23708372-c76f-401d-8494-187fd7d5be17",
        "name": "facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion"
      },
      {
        "id": "5ae59c68-c7fd-4ad0-bb4c-c1c3ddc4b8b6",
        "name": "b2777b73a4c33ac6a409d475057843be6b5d32262ef28a1f1ff5bb52e3834c5f"
      },
      {
        "id": "9c48b7c1-819f-4734-a08f-5309b831b500",
        "name": "20db98af3037b197c8a846dbf17b87fc6f049c3e0d9a188f9b9a74d3916dd5e1"
      },
      {
        "id": "6cdc1dd9-57f6-497c-a164-afbec41c8fe4",
        "name": "cf9fc891ea5ca5ecd8113ef3e69f6f52ff538b6cccbdaa9559106fc72bc6da30"
      },
      {
        "id": "b8f53622-90ed-4918-b9bb-d845e93e7642",
        "name": "7goms4byw26kkbaanz5a5u5234gusot7rp5imzc3ozh66wwcvmcudjid.onion"
      },
      {
        "id": "f19569ba-da14-4fd8-a3c9-ae4eb3220cf9",
        "name": "wt26llpl5k6gok3vnaxmucwgzv2wk3l7nuibbh25clghrtus3p5ctsid.onion"
      },
      {
        "id": "dd0a5afd-829f-47d6-9f3d-3b1aad604112",
        "name": "shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion"
      },
      {
        "id": "5a852525-2a71-451e-b807-34ed6eaa70cd",
        "name": "7630debd35cac6b7d58c4427695579b3e3a8b1cc462f523234cd6c698882a68c"
      },
      {
        "id": "a4b44a12-ef40-48aa-a0d1-016affa7f833",
        "name": "j3bv7g27oramhbxxuv6gl3dcyfmf44qnvju3offdyrap7hurfprq74qd.onion"
      },
      {
        "id": "2a188793-8eda-4fa5-bdfe-6d94d5f52652",
        "name": "0020d23b0f9c5e6851a7f737af73fd143175ee47054931166369edd93338538a"
      },
      {
        "id": "9e0ebb8d-86db-48a6-b477-295ada6f99ee",
        "name": "a7abf1d9d6686af1cefcd60b17a312e7eb8cfe267def1ec34aeab6128c811630"
      },
      {
        "id": "e9cadf97-99b6-418b-944b-34a6b5a0d7eb",
        "name": "lyhizqy2js2eh6ufngkbzntouiikdek5zsdj3qwa22b4z6knpqorgiad.onion"
      },
      {
        "id": "4f2f7dab-acca-446a-852d-3e5178f767d9",
        "name": "7787a9a7d8ae393aa32f257d083903c4dc9b97a1e5b0458c4cd480d4f3cb5b05"
      },
      {
        "id": "19b591f0-57d8-42ea-ab54-2e1d7db8aa07",
        "name": "35a6bc44b176a050fd6824904b7604f0f45b0fdfa26bf9500b9e05973b387cfd"
      },
      {
        "id": "7c2fa743-4af0-4684-8f87-d70e45433b19",
        "name": "67fc5cf395e28294bbb91ed0e954fdf2e80ebd9119022a115a42c286dc8bacf5"
      }
    ],
    "attack_patterns": [
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "99a1fb98-1a01-485b-b90a-a9f362f41a84",
        "name": "T1091"
      },
      {
        "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3",
        "name": "T1090"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "8cbc2f51-59d4-4d90-aeb6-78147b810cec",
        "name": "T1048.002"
      },
      {
        "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed",
        "name": "T1113"
      },
      {
        "id": "f4a450ef-8297-42e5-9e47-01162138baa2",
        "name": "T1115"
      }
    ],
    "malware": [
      {
        "id": "c113d8f4-7e99-4463-9f79-8925005fae1d",
        "name": "CryptoBandits",
        "slug": "cryptobandits"
      },
      {
        "id": "ae9ba534-abd3-4c1a-806c-31e0ffe316a2",
        "name": "Contebrew"
      }
    ],
    "observables": [
      {
        "id": "65eca294-0ed8-4123-8506-cfeafed7a7f6",
        "name": "shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion"
      },
      {
        "id": "0e46f7ba-0437-48b5-af2e-b3a55cd74400",
        "name": "facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion"
      },
      {
        "id": "ba47978c-92ec-4728-8392-f636e0c388d6",
        "name": "lyhizqy2js2eh6ufngkbzntouiikdek5zsdj3qwa22b4z6knpqorgiad.onion"
      },
      {
        "id": "7bf169f4-0e25-41fd-af3a-012c028896e5",
        "name": "cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion"
      },
      {
        "id": "515bc9f7-cf1a-4258-80bc-73ea1cb88cbf",
        "name": "j3bv7g27oramhbxxuv6gl3dcyfmf44qnvju3offdyrap7hurfprq74qd.onion"
      },
      {
        "id": "04f04086-f9d3-436a-8700-3e71699e4718",
        "name": "7goms4byw26kkbaanz5a5u5234gusot7rp5imzc3ozh66wwcvmcudjid.onion"
      },
      {
        "id": "ec6a8af1-e7f8-488d-a7e6-88f3ee0bf07f",
        "name": "gfoqsewps57xcyxoedle2gd53o6jne6y5nq5eh25muksqwzutzq7b3ad.onion"
      },
      {
        "id": "eb5c291d-dfd2-4cc3-841b-f3b34cef425c",
        "name": "ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion"
      },
      {
        "id": "9d719f20-be64-4b68-840c-5d40040e7133",
        "name": "he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad.onion"
      },
      {
        "id": "37200162-6878-4d1f-8360-53f8d700ce51",
        "name": "wt26llpl5k6gok3vnaxmucwgzv2wk3l7nuibbh25clghrtus3p5ctsid.onion"
      }
    ]
  },
  "external_refs": [
    {
      "id": "13b8b7c7-dfc2-4705-857e-b98d17d7538a",
      "standard_id": "external-reference--aed688cb-f126-5071-8324-7c14ceda28d8",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a33628ba6068a0dfc61732a",
      "hash": null,
      "external_id": "6a33628ba6068a0dfc61732a",
      "created": "2026-06-18T14:33:30.263Z",
      "modified": "2026-06-18T14:33:30.263Z",
      "createdById": null
    },
    {
      "id": "b723d214-4a61-4013-89e8-26ce83f3b601",
      "standard_id": "external-reference--f083073d-e29d-5bd5-8475-aaff58af3253",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/",
      "hash": null,
      "external_id": null,
      "created": "2026-06-18T14:33:30.516Z",
      "modified": "2026-06-18T14:33:30.516Z",
      "createdById": null
    }
  ]
}