Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2

Microsoft has disclosed details of a Windows-based cryptocurrency clipper campaign that has targeted users since February 2026 with clipboard-intercepting malware with self-spreading capabilities and using the Tor anonymity network to hide communication. "The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2

The article reports that Microsoft has detailed a Windows-based cryptocurrency clipper campaign active since February 2026 that spreads via malicious USB LNK files, uses Windows Script Host and ActiveX logic to launch a bundled Tor proxy, and communicates with a hidden-service C2 server.[1][2] The malware performs high-frequency clipboard monitoring, wallet-address substitution, screenshot exfiltration, and harvesting of wallet information and seed phrases to hijack crypto transactions.[1][2][3] From a CyberSE.AI perspective, this represents a fintech-adjacent operational risk for any AI-enabled trading, payment, or wallet-orchestration systems running on compromised endpoints, since malware-controlled clipboard and screen data can silently alter transaction destinations or expose sensitive financial flows used by AI-driven decision engines. Organizations using AI for financial operations should harden host security around AI workloads, implement policy and technical controls for removable media and scripting engines, and include such clipboard-hijacking scenarios in an AI Security Readiness Assessment focused on end-to-end integrity of data and transactions.