MICROSOFT has identified a new strain of cryptocurrency‑stealing malware that spreads through USB drives and uses the Tor network to hide its command and control traffic according to Ars Technica. The malware, dubbed Crypto Clipper, began appearing in February 2026 and has been observed copying wallet addresses and seed phrases from the clipboard.
It operates without a traditional installer, dropping a portable Tor client that runs as a JavaScript process and connects through a SOCKS5 proxy to obscure its traffic. The code monitors the clipboard at high frequency, captures screenshots of sensitive windows and can replace copied cryptocurrency addresses with those controlled by the attacker.
Persistence is achieved via malicious shortcut files and scheduled tasks that launch the payload each time a user logs in. The worm‑like propagation component copies itself to any removable drive that is inserted, allowing it to jump from one machine to another without user interaction.
Microsoft first observed the activity in early 2026 and notes that no specific threat actor has been linked to the campaign. The behaviour matches financially motivated crime groups that favour lightweight tools to avoid detection while maximizing profit from stolen funds.
The use of Tor for exfiltration highlights a shift toward anonymising networks even for relatively simple malware, increasing the difficulty of traffic‑based detection. Organisations that still permit unrestricted USB use face a heightened risk, as the malware can bypass typical email or web‑based defences.
Defenders should monitor for unexpected executions of Tor binaries or JavaScript engines, especially those launched from removable media. Application control policies that block unsigned scripts and restrict the creation of scheduled tasks can reduce the infection surface.
Endpoint protection platforms such as Microsoft Defender for Endpoint already flag the malicious behaviours; ensuring these features are enabled and tuned to alert on anomalous clipboard access or outbound Tor connections is advisable. Additionally, consider disabling Autorun for USB devices and reviewing the necessity of portable storage in high‑security environments.