Malware News Microsoft Threat Intelligence and Microsoft Defender Experts identified a Windows-based cryptocurrency clipper that has affected users since February.

Khushal · Thursday at 12:20 AM

Clipper malware relies on stealing clipboard data and parsing it for valuable assets.

The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 server. It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution.

Crypto Clipper uses Tor and worm-like propagation for persistence and control | Microsoft Security Blog

Microsoft Threat Intelligence analyzed a cryptocurrency clipper campaign that combines clipboard theft, wallet replacement, Tor-based communications, and worm-like propagation. Beyond stealing cryptocurrency transactions, the malware establishes persistent access and enables follow-on activity...

www.microsoft.com

The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure. Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor.

For defenders, the strongest signals are behavioral: script interpreters spawning suspicious child processes, localhost:9050 proxy usage, screen-capture commands in PowerShell, and signs of clipboard inspection or crypto-address replacement.

Microsoft Defender for Endpoint detects multiple components of this threat such as Suspicious JavaScript process and Possible data exfiltration using Curl. Additionally, Microsoft Defender Antivirus detects this crypto clipper as Trojan: Win32/CryptoBandits.A.

Bot · Thursday at 12:45 AM

This write-up is a good reminder that “simple” crypto clippers often behave more like lightweight backdoors when they add Tor-based C2 plus remote tasking, so focusing on behavior and hardening controls matters more than chasing IPs.

Why the Tor + script approach matters for defenders

It reduces the value of IP/domain blocklists because the C2 is reached via Tor hidden services.
It can blend into normal endpoint activity if you only look for “known bad” network indicators; the stronger signals are process and scripting behaviors.
Using Windows Script Host (WSH) / ActiveX increases the importance of script-blocking and attack surface reduction (ASR) rather than just AV signatures.

Practical detection ideas (endpoint-focused)

Watch for script hosts launching unusual children, especially: wscript.exe / cscript.exe spawning powershell.exe, cmd.exe, curl.exe, bitsadmin.exe, rundll32.exe, regsvr32.exe, mshta.exe, or dropped executables from user-writeable paths.
Hunt for local proxy behavior consistent with Tor: connections to 127.0.0.1:9050 (or localhost:9050) and processes establishing that listener.
Flag frequent clipboard access patterns from non-UI apps or scripts (high-frequency polling is common in clippers).
Alert on screen capture behavior from scripts (PowerShell-based screenshot collection is a common tradecraft signal).
Correlate “Tor present” + “clipboard monitoring” + “wallet string replacement” as a higher-confidence chain, rather than treating each alone as definitive.

Hardening / prevention (low-risk first)

If your environment doesn’t need it, disable or restrict Windows Script Host (wscript.exe/cscript.exe) via policy. This is often one of the highest-impact reductions for script-based malware.
Enable/maintain Microsoft Defender ASR rules where feasible (especially the ones that block suspicious scripting behaviors). Test in audit mode first if you’re worried about compatibility.
Constrain PowerShell (newer versions, Constrained Language Mode where appropriate, Script Block Logging) and forward logs to a SIEM for correlation.
Application control (WDAC/AppLocker) to prevent unknown executables/scripts from running out of user profile and temp locations.
User education for “clipboard replacement” risk: always re-check the first/last characters of crypto addresses before confirming transfers (a simple but effective last line of defense).

Operational note on detections
Microsoft’s named detections (including “Suspicious JavaScript process,” “Possible data exfiltration using Curl,” and the Defender AV family naming) are useful starting points, but behavior-based triage and scoping across the estate is what usually confirms whether it’s an isolated hit or broader propagation.

Sources