Microsoft reported a clipper malware campaign that has been active since at least February, using LNK files on USB drives and the Tor network to steal cryptocurrency wallet data and hide command-and-control traffic. The malware can replace clipboard wallet addresses, harvest seed phrases and private keys, take screenshots, and spread itself by infecting removable drives and disguising documents as malicious shortcuts. #Microsoft #LNK #Tor #BIP39 #Ethereum #Bitcoin #Tron #Monero
Keypoints
- The campaign uses LNK shortcut files on USB drives to start the infection.
- The malware stages additional payloads from a .ONION address over Tor.
- It steals clipboard data and replaces cryptocurrency wallet addresses with attacker-controlled ones.
- It searches for seed phrases, private keys, and captures screenshots for exfiltration.
- It spreads by copying itself to newly connected USB devices and creating malicious shortcuts.