A new Tor-based clipboard-stealing malware, referred to as a clopper, has emerged targeting cryptocurrency wallets. Microsoft Threat Intelligence has tracked this campaign since February 2026. The malware spreads via malicious .lnk files on USB drives, disguising itself as legitimate documents, and utilizes the Tor network to exfiltrate stolen data without revealing its command server IP.
It captures sensitive data like wallet addresses and BIP39 seed phrases by replacing clipboard contents with attacker-controlled addresses. Additionally, the malware takes screenshots every 10 seconds to monitor user activity. Defense strategies include monitoring specific Windows processes and blocking .lnk executions from removable drives.