Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2
Summary
Microsoft has detailed a cryptocurrency clipper campaign targeting Windows users since February 2026. The malware utilizes Windows Script Host and ActiveX to launch a Tor proxy and communicate with a hidden-service C2 server. This campaign highlights the ongoing threat of cryptojacking and the sophisticated methods employed by attackers.
IFF Assessment
This article describes a malicious campaign that steals cryptocurrency, which is detrimental to defenders and users.
Defender Context
Defenders should be aware of this clipper malware campaign, which uses a Tor-based C2 infrastructure for its operations. This requires monitoring for unusual script execution, ActiveX component usage, and Tor network activity on Windows systems. The long-standing nature of the campaign (since Feb 2026) suggests a persistent threat that organizations need to guard against.