Windows cryptocurrency clipper campaign targeting users via USB LNK worms
Campaign
Summary
Hide ▲
Show ▼
A Windows cryptocurrency clipper campaign is actively targeting users since February 2026, putting clipboard data, wallet addresses, and seed phrases at risk. The operation uses malicious USB-delivered LNK files, Windows Script Host, and a Tor-based hidden-service C2 to spread and steal data. It can also replace copied cryptocurrency addresses with attacker-controlled alternatives and execute attacker-supplied code through an EVAL response.
Related Happenings
USB-spreading clipboard-stealing malware targeting cryptocurrency wallets
Malware Activity
H score27
First: 18.06.2026 19:20
Last: 18.06.2026 19:20
Sources 1
How related:
Threat actors targeting cryptocurrency wallets have been distributing clipboard-stealing malware with self-spreading capabilities and using the Tor network to conceal communication.
About this happening:
A **USB-spreading** clipboard-stealing malware family is actively stealing **seed phrases**, **private keys**, and wallet addresses from **Windows** victims, putting cryptocurrenc...
USB-spreading clipboard-stealing malware targeting cryptocurrency wallets
Malware ActivityHow related: Threat actors targeting cryptocurrency wallets have been distributing clipboard-stealing malware with self-spreading capabilities and using the Tor network to conceal communication.
About this happening: A **USB-spreading** clipboard-stealing malware family is actively stealing **seed phrases**, **private keys**, and wallet addresses from **Windows** victims, putting cryptocurrenc...
Rust-based clipboard hijacker spreading via fake crypto tools
Malware Activity
H score13
First: 18.06.2026 18:00
Last: 18.06.2026 18:00
Sources 1
About this happening:
A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...
Rust-based clipboard hijacker spreading via fake crypto tools
Malware ActivityAbout this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware Activity
H score29
First: 18.06.2026 17:30
Last: 18.06.2026 17:30
Sources 1
How related:
"The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 [command-and-control] server," the Microsoft Defender Security Research Team said in an analysis published Tuesday. "It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution."
About this happening:
A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware ActivityHow related: "The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 [command-and-control] server," the Microsoft Defender Security Research Team said in an analysis published Tuesday. "It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution."
About this happening: A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
Ghost Networks crypto-clipper promotion campaign
Campaign
H score15
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
**Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Ghost Networks crypto-clipper promotion campaign
CampaignAbout this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Vidar Stealer ClickFix campaign targeting multiple sectors
Campaign
H score38
First: 08.05.2026 14:00
Last: 08.05.2026 14:00
Sources 1
About this happening:
The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Vidar Stealer ClickFix campaign targeting multiple sectors
CampaignAbout this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Timeline
-
18.06.2026 17:30 3 articles · 2h ago
Windows cryptocurrency clipper campaign targeting users via USB LNK worms
Initial DisclosureThe first stage starts when a user opens a malicious **Windows Shortcut (LNK)** from **USB storage devices**, which triggers the worm component. If the host is not already infected, the payload is fetched and the follow-on clipper stage is deployed.
Show sources
- Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2 — thehackernews.com — 18.06.2026 17:30
- Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2 — thehackernews.com — 18.06.2026 17:30
- USB worm spreads crypto-stealing malware via Windows shortcut files — www.bleepingcomputer.com — 18.06.2026 19:20