Microsoft Threat Intelligence and Microsoft Defender Experts identified a Windows-based cryptocurrency clipper that has affected users since February of 2026. Clipper malware relies on stealing clipboard data and parsing it for valuable assets.

The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 server. It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution.

The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure. Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor.

For defenders, the strongest signals are behavioral: script interpreters spawning suspicious child processes, localhost:9050 proxy usage, screen-capture commands in PowerShell, and signs of clipboard inspection or crypto-address replacement.

Microsoft Defender for Endpoint detects multiple components of this threat such as Suspicious JavaScript process and Possible data exfiltration using Curl. Additionally, Microsoft Defender Antivirus detects this crypto clipper as Trojan: Win32/CryptoBandits.A.

Attack chain overview

Since February 2026, malicious shortcut (.lnk) payloads have infected devices with a cryptocurrency clipper. This malware comprises two components that it deploys on the compromised system: a worm component that ensures propagation and a clipper/stealer component that harvests and exfiltrates cryptocurrency wallet information.  

The worm functionality ensures propagation by creating additional malicious shortcuts of legitimate files it identifies on the device. It also delivers file-based payloads and excludes them from Defender scanning. It deploys scheduled tasks for execution and persistence for both the worm component and the stealer component.  Figure 1 presents a high-level execution flow of the two components.

The clipper runs as a script-based payload that interacts with the operating system through WScript and ActiveXObject. It includes an anti-analysis check that queries running processes and exits if Task Manager is detected. If the environment passes this gate, the malware launches a renamed Tor binary named ugate.exe in a hidden window, waits about 60 seconds for Tor to bootstrap, generates a victim GUID, and registers the infected device with a hidden-service C2.

After registration, the malware enters a continuous loop. It polls the C2 for instructions and monitors the clipboard roughly every 500 milliseconds, extracting seed phrases and private keys that match wallet-related patterns. It also hijacks cryptocurrency addresses by replacing copied wallet values with attacker-controlled alternatives and uploads screenshots through Tor. If the C2 returns an EVAL response, the malware executes attacker-supplied code at runtime.

Behaviors and methodologies

Initial access

Initial access occurs from malicious .lnk files. In instances we analyzed, these .lnk shortcuts were distributed on USB storage devices. The .lnk shortcut stages a worm component in the form of an executable. The malicious script checks for an existing malicious payload and stops if the device is already infected. If the payload is not present, the malware fetches the payload from the C2 through Tor. The Figure below illustrates the functions that stage and decrypt the initial payload.

The .lnk payload scans the USB device for common document files like .doc, .xlsx, .pdf, hides the original files, and creates additional .lnk shortcut files with the same file names. The shortcut files are crafted with arguments to link to the worm payload. The end user is not aware that they are launching an executable when opening the .lnk files.

Execution

Once a user clicks on one of the shortcuts, the staged worm payload runs. It excludes staging folders and Windows binaries used in the execution of the stealer component. The malware then drops decrypted payloads, including two malicious JavaScript files, into the subfolder under the “C:UsersPublicDocuments” folder.

A five-character naming convention is used both for the subfolder and the scripts’ names.

The figure below illustrates an instance with files dropped under a ” C:UsersPublicDocumentsomoho” folder path:

The worm component also establishes persistence by creating two indefinite scheduled tasks: one responsible for spreading itself to a freshly inserted uncompromised USB storage device, and another for the stealer activity.

Defense evasion

The malware employs multi-layered obfuscation, with all components encrypted and only decrypted at runtime. Installation is handled by a Python script that is itself obfuscated using PyArmor and packaged into a standalone executable via PyInstaller. In addition, the two JavaScript payloads are each protected with dual-layer obfuscation, further increasing analysis complexity. This design significantly reduces static visibility while maintaining flexible runtime behavior.

The sample also incorporates a basic anti-analysis check by querying the Win32_Process WMI class and terminating execution if Task Manager is detected. Although simplistic, this mechanism can hinder manual inspection and slow initial triage efforts.

The bundled Tor client is central to the operation. By routing communication over localhost:9050 and resolving “.onion” destination domains inside Tor, the malware reduces DNS visibility, obscures the final C2 destination, and complicates destination-based blocking. This design gives the operator anonymity benefits while keeping the malware compact and self-contained.

Command and control

The command and control over a Tor-routed domain routes network traffic through local IP address 127.0.0.1 on port 9050. The tunneled domain appears in the initiating process command line. The C2 domains use the following endpoints and actions across different execution stages.

• C2 Domain: .onion
• Endpoints:
  • /route.php : Beacon and command retrieval
  • /recvf.php : File upload (screenshots)
  • /stub.php: Payload download
• Communication:
  • Protocol: HTTP over Tor (SOCKS5 proxy at localhost:9050)
  • Method: curl with POST requests
  • Authentication: GUID + GEIP (geolocation)
• Actions Sent to C2:
  • GUID : Heartbeat beacon
  • SEED : Exfiltrated seed phrase
  • PKEY : Exfiltrated private key
  • REPL : Address replacement notification
  • GOOD : (legacy/fallback action)
• Commands from C2:
  • GUID : Acknowledge/refresh victim GUID
  • EVAL : Execute arbitrary JScript code (remote code execution)

A file named “cfile” is created on the infected system as an output for payload hosted on the C2 domain.

The malware sample we analyzed also provided a function called checkC2Command. The function has an EVAL method, which would allow any payload placed in the cfile to be executed on the victim’s system.

Collection

Seed

Clipboard theft focuses on high-value financial artifacts. The malware detects 12 or 24-word BIP39 seed phrases in clipboard data. It saves the seed to local file (GOOD path) as a backup and exfiltrates it to the C2 domain via Tor. It retries network transmission until it is acknowledged and deletes local backup after successful transmission. It also takes five screenshots (ten seconds apart) and uploads them asynchronously. The screenshots help the threat actor gain additional context on the end user’s wallet and balances.

The crypto clipper also detects cryptocurrency keys for both Ethereum and Bitcoin WIF. Once the captured keys are saved and exfiltrated, the malware captures screenshots of the user’s screen for a full context. The captured values are validated against a word list.

Address replacement

The stealer also probes for cryptocurrency addresses and replaces them with attacker’s addresses. The malware checks that the address has alphanumeric values.

• For a Bitcoin legacy address which starts with “1” and has a length of 32-36 values, the address is replaced with an address that matches the first two characters.

• For a Bitcoin P2SH address which starts with a “3” and has a length of 32-36 values, the stealer replaces the address with one matching the original address on the first two characters.

• For a Bitcoin taproot address which starts with “bc1p” and has a length of 40-64 characters, the stealer replaces it with one matching the last character.

• For a Bitcoin Bech32 address which starts with “bc1q” and has a length of 40-64 characters, the stealer replaces only the last character.

• For a Tron address which starts with “T” and has exactly 34 characters, the stealer replaces the address with one that matches the first two characters.
• For a Monero address which starts with a “4” or a “8” and has exactly 95 characters, the stealer replaces the address with a single address.

The following shows an example of address replacement:

This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking. The combination of Tor-routed C2, clipboard targeting, screenshot capture, and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices.

Organizations should focus on hardening script execution paths, monitoring local SOCKS proxy abuse, and using behavioral hunting to connect script activity with network, clipboard, and process signals. That combination offers the best chance of surfacing this class of threat before financial loss or broader follow-on activity occurs.

Mitigation and protection guidance

Defenders should prioritize behavioral detections over static signatures. Investigate systems where WScript, CScript, or related script engines launch curl, cmd.exe, PowerShell, or unexpected executables. localhost:9050 network activity, especially when coupled with suspicious scripting behavior, is also valuable context for triage.

Where operationally feasible, reduce abuse of script-based interpreters and review Attack Surface Reduction rules that block obfuscated scripts and suspicious child-process chains. Review detections for PowerShell-based screen capture and examine devices for indicators of clipboard inspection or wallet-address replacement.

Recommended actions

• Disable AutoRun/AutoPlay for all removable media
• Block .lnk execution from removable drives via GPO
• Restrict unnecessary use of wscript.exe, cscript.exe, and similar script hosts where possible.
• Review and enable relevant Attack Surface Reduction rules, especially those focused on obfuscated script execution and suspicious child-process behavior.
• Investigate script-to-network chains involving curl, PowerShell, or cmd.exe.
• Hunt for local SOCKS5 proxy activity on localhost:9050.
• Review clipboard-related and screen-capture behaviors on devices handling sensitive financial workflows.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Microsoft Security Copilot  

Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:  

• Incident investigation  
• Microsoft User analysis  
• Threat actor profile  
• Threat Intelligence 360 report based on MDTI article  
• Vulnerability impact assessment  

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.  

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Advanced hunting

Microsoft Defender customers can run the following queries to find related activity in their networks:

Execution launched from scheduled tasks

DeviceProcessEvents
| where FileName =="schtasks.exe"
| where ProcessCommandLine matches regex
@"(?i)schtaskss+/creates+/tns+[a-z]{4,6}s+/xmls+C:\Users\Public\Documents\[a-z]{4,6}\[a-z]{4,6}.xmls+/f"

Local Tor proxy activity (localhost:9050)

DeviceNetworkEvents
| where ActionType =="ConnectionSuccess"
| where InitiatingProcessCommandLine has_all ("curl","socks5-hostname",".onion")

Tor-routed curl execution

DeviceProcessEvents
| where FileName =~ "curl.exe"
| where ProcessCommandLine has_all ("--socks5-hostname", "localhost:9050")
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine

MITRE ATT&CK Techniques observed

This threat has exhibited use of the following attack techniques. For standard industry documentation about these techniques, refer to the MITRE ATT&CK framework.

Initial Access

• T1091 Replication Through Removable Media

Execution

• T1059 Command and Scripting Interpreter | EVAL-driven remote code execution from server tasking

Discovery

• T1057 Process Discovery | Task Manager check used as an anti-analysis gate

Persistence

• T1053.005 Scheduled Task/Job | Scheduled Task

Defense evasion

• T1027 | Shuffled strings and decoder functions conceal commands and APIs

Collection

• T1115 Clipboard Data | Clipboard theft targets seed phrases, keys, and wallet addresses
• T1113 Screen Capture | PowerShell screenshot capture supports operational visibility

Command and Control

• T1090 Proxy | Traffic routed through Tor via local SOCKS5 proxying

Exfiltration

• T1048.002 Exfiltration Over Alternative Protocol

Indicators of compromise (IOC)

References 

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.   

Fast-Entry Rules Could Put SpaceX Into Millions of Investor Portfolios

Millions of investors may soon find SpaceX (Nasdaq: SPCX) inside funds they already own, according to James Flintoft, head of investment solutions at AJ Bell. The company’s Nasdaq debut has opened fast-entry routes into several major indexes, while S&P 500 funds remain tied to a longer eligibility schedule.

SpaceX began trading at $135 per share after raising more than $85 billion, making it the largest IPO on record. Its valuation later surpassed $2 trillion, placing the company among the most valuable publicly listed businesses in global markets.

A company of that size can qualify for major benchmarks quickly, but passive investors will not all receive exposure at the same time. The timing depends on the index behind each fund, including Nasdaq-100 products, MSCI global trackers, FTSE Russell funds, and CRSP-based portfolios, whose indexes underpin many Vanguard U.S. index funds, alongside S&P 500 trackers.

AJ Bell, a U.K. investment platform offering individual savings accounts (ISAs), pensions, and dealing accounts, said the listing raises important questions for passive investors. Flintoft said:

“The first practically important question for investors using index or passive strategies in their portfolios is not whether SpaceX is a good investment – it is will you hold it, where and when?”

Nasdaq has already created a faster route for large IPOs. The exchange’s May 1, 2026, methodology update allows newly listed companies ranked among the top 40 by market capitalization to enter the Nasdaq-100 within 15 trading days. Flintoft stated, “while SpaceX’s shares listed on the Nasdaq stock exchange, they will take slightly longer to join the Nasdaq-100 index.”

Those rules explain why SpaceX could appear quickly in several fund families. Nasdaq-100 trackers can use Nasdaq’s 15-trading-day window, FTSE Russell products can use the fifth-trading-day process, and MSCI-linked funds can apply MSCI’s large-IPO framework.

S&P 500 Funds Remain on a Different Timeline

FTSE Russell has also moved toward faster IPO inclusion. On May 26, 2026, the index provider said eligible large IPOs can enter Russell U.S. indexes after the fifth trading day, using first-day free float, following a February market consultation.

MSCI provides another route into global index funds. Its Global Investable Market Indexes have used fast-track rules for large IPOs since 2007, covering benchmarks tied to MSCI World, MSCI ACWI, MSCI Emerging Markets, and MSCI EAFE products.

Flintoft explained:

“If your portfolios include Nasdaq-100 trackers, FTSE Russell-based products, MSCI World or MSCI All Country funds, those products will acquire exposure within weeks of listing.”

“The initial weighting will be measured in basis points given the constrained free float, but as lockup tranches release over the following six months, the weighting will grow – depending on how the share price performs,” he further shared.

S&P 500 funds remain on a different timeline. Flintoft noted that S&P Dow Jones Indices confirmed June 4 that companies must trade publicly for at least 12 months and be profitable under U.S. Generally Accepted Accounting Principles, the accounting standards used in corporate financial reporting. SpaceX has yet to meet either requirement, placing potential S&P 500 inclusion no earlier than mid-2027.

The company reported a $4.94 billion net loss in 2025, compared with a $791 million profit in 2024, while revenue rose 33% to $18.67 billion. It also recorded a $4.3 billion loss in the first quarter of 2026.

The first portfolio changes should be small, with Flintoft citing Bloomberg data showing about 8% of SpaceX shares are currently tradeable. As additional shares are released after the first quarterly earnings report and at later lockup dates, index weightings could increase over time. SpaceX could appear in Nasdaq-100, FTSE Russell, MSCI, and CRSP-linked products over the coming weeks as those indexes follow their respective inclusion schedules, while S&P 500 trackers remain subject to existing eligibility rules.

(Carolina Journal) – State regulatory framework for banks, credit unions and stablecoin issuers seeking to operate in the digital asset or cryptocurrency space has been proposed in the North Carolina General Assembly.

NC Digital Asset and Stablecoin Act, known also as House Bill 1029, would authorize state-chartered financial institutions to provide digital asset custody, staking, and transaction services, while also creating licensing and oversight rules for payment stablecoin issuers.

The bill is sponsored by Reps. Allen Chesser, R-Nash; David Willis, R-Union; Stephen Ross, R-Alamance; and Mike Schietzelt, R-Wake. The bill passed the House last week after clearing second reading in a 115-0 vote.

Under the bill, banks and credit unions would be allowed to custody digital assets for customers, facilitate digital asset transactions, and provide staking services.

Supporters, such as the North Carolina Blockchain + AI Initiative, more commonly known as NCB+AI, praised the bill.

– Advertisement –

“House passage of H1029 is a major step forward for North Carolina’s digital asset economy,” NCB+AI told Carolina Journal in a statement. “This bill gives state-chartered banks and credit unions a clear path to provide custody, staking, and transaction services while requiring strong reserves, audits, disclosures, cybersecurity standards, and consumer protections. Representatives Chesser, Willis, Ross, Schietzelt, and the House Select Committee deserve real credit for advancing a serious framework that protects consumers, supports responsible innovation, and keeps North Carolina at the forefront of digital finance.”

The measure includes consumer-protection provisions. Banks and credit unions offering custody services would have to enter into written agreements with customers and disclose that digital assets are not bank deposits and are not insured by the FDIC or NCUA. Institutions would also have to maintain 100% reserves of each type of digital asset owed to customers and undergo annual independent audits.

The bill would also allow customers to stake their digital assets. Staking rewards would belong to the customer, minus disclosed fees. Institutions would be required to manage risks tied to staking, including cybersecurity, operational failures, lock-up periods, and slashing, which occurs when staked assets are penalized under blockchain rules.

Under the bill, the state treasurer would be allowed to hold, liquidate or stake unclaimed digital assets. First-term Republican state Treasurer Brad Briner said the measure reflects a need to update state banking policy as digital assets become more common.

“As a state, we need to modernize our way of thinking when it comes to banking, while at the same time both complying with federal mandates in the GENIUS Act and embracing the needs of North Carolina innovators,” Briner told Carolina Journal.

The second major portion of the bill would create a state licensing system for payment stablecoin issuers.

– Advertisement –

Under the legislation, no person could issue, circulate, offer or redeem a payment stablecoin in North Carolina unless they qualify as a permitted payment stablecoin issuer.

The bill ties the state framework to the federal GENIUS Act and would allow certain federally qualified or out-of-state qualified issuers to operate in North Carolina under specified notice and reciprocity rules.

The bill would require stablecoin issuers to maintain reserves, redeem stablecoins at par value, disclose fees, publish monthly reports, obtain annual reserve examinations, maintain anti-money laundering and customer identification programs, comply with sanctions rules, and notify the commissioner of banks of certain federal enforcement actions.

The stablecoin framework would take effect no earlier than January or 120 days after federal regulators issue final regulations under the GENIUS Act.