Microsoft discovers new lightweight backdoor that steals cryptocurrency

TL;DR

Microsoft has identified a new malware called Crypto Clipper that spreads through USB drives, monitors for cryptocurrency credentials, and exfiltrates data via Tor. It functions as a lightweight backdoor, complicating detection.

Microsoft has identified a new self-propagating malware named Crypto Clipper that infects devices via USB drives, stealing cryptocurrency credentials and exfiltrating data through anonymous Tor channels. This discovery highlights a sophisticated method of financial data theft that also functions as a lightweight backdoor, complicating detection and response efforts.

According to Microsoft, Crypto Clipper spreads through malicious .lnk files stored on infected USB drives, executing code when plugged into a device. The malware checks if it is already installed; if not, it downloads additional components through a Tor proxy, which helps conceal its communications. Once active, it monitors the clipboard for cryptocurrency wallet addresses or seed phrases, capturing these credentials. It also takes five screenshots over a ten-second window to gather visual evidence of the user’s activity. Both the credentials and screenshots are transmitted to attacker-controlled servers via Tor, using a SOCKS5 proxy for anonymized routing.

Microsoft states that Crypto Clipper’s design does not rely on traditional command-and-control (C2) infrastructure or a persistent installer. Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and integrates data theft with remote code execution. This approach makes the malware lightweight and harder to detect, as it blends into normal device operation and does not leave obvious traces of a typical infection.

Implications of Crypto Clipper’s Stealthy Design

This malware’s ability to operate as a lightweight backdoor that exfiltrates sensitive cryptocurrency data while avoiding detection poses a significant threat to individuals and organizations. Its use of Tor and SOCKS5 proxies complicates attribution and takedown efforts, increasing the risk of financial theft and potential further exploitation of infected devices. The malware’s propagation method via USB drives makes it a concern for environments with high USB device usage, including corporate and personal settings.

BUISAMG Data Blocker, USB A & USB C Data Blocker for iphone17 16 and Any USB C Mobile Phone Charge, Protect Against Juice Jacking, Refuse Hacking, Only Charging (Red 6-Pack)

BUISAMG Data Blocker, USB A & USB C Data Blocker for iphone17 16 and Any USB C Mobile Phone Charge, Protect Against Juice Jacking, Refuse Hacking, Only Charging (Red 6-Pack)

【Combination set】: More affordable, The data blocker combination kit shown in the main image, which can meet your…

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Recent Trends in Cryptocurrency Malware

Over the past year, cybercriminals have increasingly targeted cryptocurrency users with specialized malware designed to steal wallet information and seed phrases. Previous variants relied on persistent C2 infrastructure or more conspicuous infection vectors. The discovery of Crypto Clipper’s lightweight, self-propagating design marks a shift toward stealthier, more integrated malware that can operate undetected for longer periods. Microsoft’s detection follows a broader industry pattern of evolving threats focusing on cryptocurrency assets, which are often high-value targets.

“Crypto Clipper deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor.”

— Microsoft security team

TANGEM Crypto Wallet Pack of 2 – Trusted Cold Storage Hardware Wallet for Bitcoin, Ethereum, NFTs & Altcoins – 100% Offline Crypto Cold Wallet

TANGEM Crypto Wallet Pack of 2 – Trusted Cold Storage Hardware Wallet for Bitcoin, Ethereum, NFTs & Altcoins – 100% Offline Crypto Cold Wallet

Proven security at scale: Over 9 years and millions of cards issued with no known remote hacks, while…

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unclear Aspects of Crypto Clipper’s Deployment

Details remain limited regarding the full scope of Crypto Clipper’s distribution, the extent of its current deployment, and whether it has been used in targeted campaigns. It is also not yet confirmed how widespread its infection vectors are beyond initial observations. Security researchers are still analyzing its command structure, if any, and potential variants that may exist.

Plugable USB Data Blocker, Protect Against Juice Jacking at Public USB Ports, Defend Unwanted Data Transfers and Hijacking, Charging Safely, Fast 1A Charge-Only Adapter for Android, Apple iOS Devices

Plugable USB Data Blocker, Protect Against Juice Jacking at Public USB Ports, Defend Unwanted Data Transfers and Hijacking, Charging Safely, Fast 1A Charge-Only Adapter for Android, Apple iOS Devices

Safe Charging: The Plugable USB-MC1 adapter transforms any USB data port into a USB data blocker and charge-only…

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps for Detection and Mitigation

Microsoft and cybersecurity firms are expected to release detailed indicators of compromise (IOCs) and detection strategies. Organizations should review USB security policies, implement monitoring for clipboard activity, and consider blocking or scrutinizing suspicious USB devices. Further research will clarify the malware’s evolution and whether additional variants or similar tools emerge in the wild.

PortPlugs (50-Pack) USB-A Port Blockers - Key Lock USB Security to Help Prevent Data Theft - Removable Type-A Data Protection - Dust & Moisture Resistant Shield | Black

PortPlugs (50-Pack) USB-A Port Blockers – Key Lock USB Security to Help Prevent Data Theft – Removable Type-A Data Protection – Dust & Moisture Resistant Shield | Black

USB A PORT BLOCKERS WITH KEY: Designed for standard USB A ports on laptops, desktop PCs, notebooks, and…

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

How does Crypto Clipper spread?

It spreads through infected USB drives containing malicious .lnk files that execute when plugged into a device.

What kind of data does Crypto Clipper steal?

It monitors the clipboard for cryptocurrency wallet addresses or seed phrases and captures screenshots of user activity.

Can Crypto Clipper be detected easily?

Its lightweight, stealthy design and use of anonymizing proxies make detection challenging, especially if USB device usage is not closely monitored.

Is this malware currently active in the wild?

Microsoft’s report suggests it has been observed spreading, but the full extent of active infections is still under investigation.

What should organizations do to protect themselves?

Implement strict USB device policies, monitor clipboard activity, and stay updated on security advisories related to Crypto Clipper.

Source: Ars Technica


You May Also Like

Trade and supply-chain operations signal monitor: U.S. strikes Iranian military sites after ship was hit in Strait of Hormuz

The U.S. has reportedly conducted strikes on Iranian military targets following an attack on a ship in the Strait of Hormuz, raising geopolitical tensions.

The Most Promising Ebola Vaccine Has Been Sitting on the Shelf for 15 Years

A highly promising Ebola vaccine developed in 2011 has not been deployed or tested in humans, despite ongoing outbreaks and its proven efficacy in primates.

Iran scrambles to move estimated $8.5bn in oil as US eases sanctions

Iran is actively loading crude oil onto tankers following a temporary US sanctions relaxation, potentially earning $8.5 billion. Details are still emerging.

When Does Cheap Memory Come Back? The 2027–2029 Question

Memory prices are unlikely to return to pre-crisis levels before 2028–2029, with relief expected to be modest and delayed due to industry capacity constraints.