Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Windows cryptocurrency clipper malware using USB LNK worming and Tor C2

Malware Activity
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

A Windows-based cryptocurrency clipper has been active since February 2026, using USB-delivered LNK worming to steal wallet data and reroute payments. The malware adds clipboard theft, screenshot exfiltration, and wallet-address substitution, increasing the risk of stolen seed phrases and diverted transactions. It also uses a Tor-based hidden-service C2 and can execute attacker-supplied code through an EVAL response.

Related Happenings

USB-spreading clipboard-stealing malware targeting cryptocurrency wallets

Malware Activity
H score27 First: 18.06.2026 19:20 Last: 18.06.2026 19:20 Sources 1

About this happening: A **USB-spreading** clipboard-stealing malware family is actively stealing **seed phrases**, **private keys**, and wallet addresses from **Windows** victims, putting cryptocurrenc...

Open Happening

Rust-based clipboard hijacker spreading via fake crypto tools

Malware Activity
H score13 First: 18.06.2026 18:00 Last: 18.06.2026 18:00 Sources 1

About this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...

Open Happening

Windows cryptocurrency clipper campaign targeting users via USB LNK worms

Campaign
H score32 First: 18.06.2026 17:30 Last: 18.06.2026 17:30 Sources 1

How related: Microsoft has disclosed details of a Windows-based cryptocurrency clipper campaign that has targeted users since February 2026.

About this happening: A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...

Open Happening

Ghost Networks crypto-clipper promotion campaign

Campaign
H score15 First: 17.06.2026 21:14 Last: 17.06.2026 21:14 Sources 1

About this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...

Open Happening

GammaWorm NTFS Alternate Data Streams propagation and backdoor activity

Malware Activity
H score40 First: 01.06.2026 14:00 Last: 01.06.2026 14:00 Sources 1

About this happening: The **GammaWorm** malware activity now shows a more covert stage that hides modules in **NTFS Alternate Data Streams**, helping it spread across **Ukrainian networks** while leavi...

Open Happening

Timeline

  1. 18.06.2026 17:30 2 articles · 2h ago

    Windows cryptocurrency clipper campaign uses USB LNK worm and Tor C2

    Initial Disclosure

    Microsoft disclosed a Windows-based cryptocurrency clipper campaign targeting cryptocurrency users on Windows systems since February 2026. The malware uses malicious USB-delivered Windows Shortcut (LNK) files, Windows Script Host and ActiveX-driven logic, a portable Tor client with a local SOCKS5 proxy, and a hidden-service C2 server to steal clipboard data, replace wallet addresses, exfiltrate screenshots, and execute attacker-supplied code when the C2 returns an EVAL response.

    Show sources
    Open in new tab