Crypto Clipper uses Tor and worm-like propagation for persistence and control
A Windows-based cryptocurrency clipper has been actively targeting users since February 2026, employing sophisticated techniques to steal digital assets. The malware propagates through malicious shortcut files on USB devices, creating a worm-like infection chain. Once deployed, it utilizes Windows Script Host and ActiveX to launch a bundled Tor proxy client, enabling anonymous communication with hidden-service command and control servers. The clipper performs high-frequency clipboard monitoring to intercept cryptocurrency wallet addresses, seed phrases, and private keys, replacing them with attacker-controlled alternatives. Additionally, it captures screenshots for context and maintains persistent access through scheduled tasks. The threat demonstrates advanced capabilities including remote code execution, making it more than a simple stealer by functioning as a lightweight backdoor. The malware employs multiple defense evasion techniques including multi-layer obfuscation, anti-analysis checks, and local S...
AI Analysis
Technical Summary
Crypto Clipper is a sophisticated Windows malware that spreads through USB devices using malicious shortcut files, enabling worm-like propagation. It leverages Windows Script Host and ActiveX to deploy a Tor proxy client, facilitating anonymous communication with hidden-service C2 servers. The malware performs continuous clipboard monitoring to hijack cryptocurrency wallet information such as addresses, seed phrases, and private keys, substituting them with attacker-controlled data to steal digital assets. It also captures screenshots to provide context for the attackers and maintains persistence via scheduled tasks. Beyond simple stealing, it functions as a lightweight backdoor with remote code execution capabilities. The malware incorporates advanced evasion techniques including multi-layer obfuscation and anti-analysis measures. No known exploits in the wild have been reported as of the publication date.
Potential Impact
The malware enables theft of cryptocurrency assets by intercepting and replacing wallet addresses, seed phrases, and private keys from the clipboard. It also compromises user privacy by capturing screenshots and maintains persistent access to infected systems, potentially allowing further malicious actions through remote code execution. The worm-like propagation via USB devices increases infection spread risk within networks or organizations. The use of Tor for command and control complicates detection and attribution.
Mitigation Recommendations
No official patch or remediation is available as this is malware rather than a software vulnerability. Mitigation should focus on preventing infection by avoiding use of untrusted USB devices, disabling autorun features, and employing endpoint protection capable of detecting malicious shortcut files and behavior indicative of clipboard hijacking and Tor proxy deployment. Network monitoring for unusual Tor traffic and scheduled task creation may help detect infections. Since this is malware, removal requires incident response and malware cleanup procedures. Patch status is not applicable; check vendor advisories and security updates for related protections.
Indicators of Compromise
- domain: facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion
- domain: ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion
- domain: cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion
- domain: he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad.onion
- domain: shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion
- hash: 03b51af0a04467cebfa235199db4c02e
- hash: bbe05d2f2487ed09e1062111fd448822364a44a7
- hash: 0020d23b0f9c5e6851a7f737af73fd143175ee47054931166369edd93338538a
- hash: 100407796028bf3649752d9d2a67a0e4394d752eb8de86daa42920e814f3fae8
- hash: 20db98af3037b197c8a846dbf17b87fc6f049c3e0d9a188f9b9a74d3916dd5e1
- hash: 23c1e673f315dafa14b73034a90dd3d393a984451ff6601b8be8142be6487b43
- hash: 35a6bc44b176a050fd6824904b7604f0f45b0fdfa26bf9500b9e05973b387cfd
- hash: 67fc5cf395e28294bbb91ed0e954fdf2e80ebd9119022a115a42c286dc8bacf5
- hash: 7630debd35cac6b7d58c4427695579b3e3a8b1cc462f523234cd6c698882a68c
- hash: 7787a9a7d8ae393aa32f257d083903c4dc9b97a1e5b0458c4cd480d4f3cb5b05
- hash: 9d90f54ae36c6c5435d5b8bed40faf54cc91f6db28574a6310b5ffaeb0362e96
- hash: a7abf1d9d6686af1cefcd60b17a312e7eb8cfe267def1ec34aeab6128c811630
- hash: b2777b73a4c33ac6a409d475057843be6b5d32262ef28a1f1ff5bb52e3834c5f
- hash: c824630154ac4fdfce94ded01f037c305eab51e9bef3f493c60ff3184a640502
- hash: cf9fc891ea5ca5ecd8113ef3e69f6f52ff538b6cccbdaa9559106fc72bc6da30
- hash: d14b80cbd1a19d4ad0473a0661297f8fdf598e81ff6c4ab24e212dcad2e54b3f
- hash: d43bf94f0cb0ab97c88113b7e07d1a4024d1610617b5ad05882b1dbab89e15ba
- hash: f3b54984caca95fd496bcfe5d7db1611b08d2f5b7d250b43b430e5d76393f9e0
- domain: 7goms4byw26kkbaanz5a5u5234gusot7rp5imzc3ozh66wwcvmcudjid.onion
- domain: gfoqsewps57xcyxoedle2gd53o6jne6y5nq5eh25muksqwzutzq7b3ad.onion
- domain: j3bv7g27oramhbxxuv6gl3dcyfmf44qnvju3offdyrap7hurfprq74qd.onion
- domain: lyhizqy2js2eh6ufngkbzntouiikdek5zsdj3qwa22b4z6knpqorgiad.onion
- domain: wt26llpl5k6gok3vnaxmucwgzv2wk3l7nuibbh25clghrtus3p5ctsid.onion
Crypto Clipper uses Tor and worm-like propagation for persistence and control
Description
A Windows-based cryptocurrency clipper has been actively targeting users since February 2026, employing sophisticated techniques to steal digital assets. The malware propagates through malicious shortcut files on USB devices, creating a worm-like infection chain. Once deployed, it utilizes Windows Script Host and ActiveX to launch a bundled Tor proxy client, enabling anonymous communication with hidden-service command and control servers. The clipper performs high-frequency clipboard monitoring to intercept cryptocurrency wallet addresses, seed phrases, and private keys, replacing them with attacker-controlled alternatives. Additionally, it captures screenshots for context and maintains persistent access through scheduled tasks. The threat demonstrates advanced capabilities including remote code execution, making it more than a simple stealer by functioning as a lightweight backdoor. The malware employs multiple defense evasion techniques including multi-layer obfuscation, anti-analysis checks, and local S...
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Crypto Clipper is a sophisticated Windows malware that spreads through USB devices using malicious shortcut files, enabling worm-like propagation. It leverages Windows Script Host and ActiveX to deploy a Tor proxy client, facilitating anonymous communication with hidden-service C2 servers. The malware performs continuous clipboard monitoring to hijack cryptocurrency wallet information such as addresses, seed phrases, and private keys, substituting them with attacker-controlled data to steal digital assets. It also captures screenshots to provide context for the attackers and maintains persistence via scheduled tasks. Beyond simple stealing, it functions as a lightweight backdoor with remote code execution capabilities. The malware incorporates advanced evasion techniques including multi-layer obfuscation and anti-analysis measures. No known exploits in the wild have been reported as of the publication date.
Potential Impact
The malware enables theft of cryptocurrency assets by intercepting and replacing wallet addresses, seed phrases, and private keys from the clipboard. It also compromises user privacy by capturing screenshots and maintains persistent access to infected systems, potentially allowing further malicious actions through remote code execution. The worm-like propagation via USB devices increases infection spread risk within networks or organizations. The use of Tor for command and control complicates detection and attribution.
Mitigation Recommendations
No official patch or remediation is available as this is malware rather than a software vulnerability. Mitigation should focus on preventing infection by avoiding use of untrusted USB devices, disabling autorun features, and employing endpoint protection capable of detecting malicious shortcut files and behavior indicative of clipboard hijacking and Tor proxy deployment. Network monitoring for unusual Tor traffic and scheduled task creation may help detect infections. Since this is malware, removal requires incident response and malware cleanup procedures. Patch status is not applicable; check vendor advisories and security updates for related protections.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/"]
- Adversary
- null
- Pulse Id
- 6a33628ba6068a0dfc61732a
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainfacebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion | — | |
domainijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion | — | |
domaincgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion | — | |
domainhe5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad.onion | — | |
domainshinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion | — | |
domain7goms4byw26kkbaanz5a5u5234gusot7rp5imzc3ozh66wwcvmcudjid.onion | — | |
domaingfoqsewps57xcyxoedle2gd53o6jne6y5nq5eh25muksqwzutzq7b3ad.onion | — | |
domainj3bv7g27oramhbxxuv6gl3dcyfmf44qnvju3offdyrap7hurfprq74qd.onion | — | |
domainlyhizqy2js2eh6ufngkbzntouiikdek5zsdj3qwa22b4z6knpqorgiad.onion | — | |
domainwt26llpl5k6gok3vnaxmucwgzv2wk3l7nuibbh25clghrtus3p5ctsid.onion | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash03b51af0a04467cebfa235199db4c02e | — | |
hashbbe05d2f2487ed09e1062111fd448822364a44a7 | — | |
hash0020d23b0f9c5e6851a7f737af73fd143175ee47054931166369edd93338538a | — | |
hash100407796028bf3649752d9d2a67a0e4394d752eb8de86daa42920e814f3fae8 | — | |
hash20db98af3037b197c8a846dbf17b87fc6f049c3e0d9a188f9b9a74d3916dd5e1 | — | |
hash23c1e673f315dafa14b73034a90dd3d393a984451ff6601b8be8142be6487b43 | — | |
hash35a6bc44b176a050fd6824904b7604f0f45b0fdfa26bf9500b9e05973b387cfd | — | |
hash67fc5cf395e28294bbb91ed0e954fdf2e80ebd9119022a115a42c286dc8bacf5 | — | |
hash7630debd35cac6b7d58c4427695579b3e3a8b1cc462f523234cd6c698882a68c | — | |
hash7787a9a7d8ae393aa32f257d083903c4dc9b97a1e5b0458c4cd480d4f3cb5b05 | — | |
hash9d90f54ae36c6c5435d5b8bed40faf54cc91f6db28574a6310b5ffaeb0362e96 | — | |
hasha7abf1d9d6686af1cefcd60b17a312e7eb8cfe267def1ec34aeab6128c811630 | — | |
hashb2777b73a4c33ac6a409d475057843be6b5d32262ef28a1f1ff5bb52e3834c5f | — | |
hashc824630154ac4fdfce94ded01f037c305eab51e9bef3f493c60ff3184a640502 | — | |
hashcf9fc891ea5ca5ecd8113ef3e69f6f52ff538b6cccbdaa9559106fc72bc6da30 | — | |
hashd14b80cbd1a19d4ad0473a0661297f8fdf598e81ff6c4ab24e212dcad2e54b3f | — | |
hashd43bf94f0cb0ab97c88113b7e07d1a4024d1610617b5ad05882b1dbab89e15ba | — | |
hashf3b54984caca95fd496bcfe5d7db1611b08d2f5b7d250b43b430e5d76393f9e0 | — |
Threat ID: 6a340291f198dc38c1f62f5b
Added to database: 6/18/2026, 2:37:05 PM
Last enriched: 6/18/2026, 2:50:11 PM
Last updated: 6/18/2026, 5:57:42 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.