ShellCodeX
Tools • Events • News • Insights
ShellCodeX Intelligence Brief
HIGH Cybersecurity

Microsoft traces Windows USB LNK clipper to Tor-based hidden-service C2

Source headline: Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2

Threat level High
Signal strength 72/100
Source confidence 1 source
Published 9 hours ago

Intelligence Summary

Microsoft describes a Windows cryptocurrency clipper campaign active since February 2026. The malware uses Windows Script Host and ActiveX-driven logic launched via a USB LNK worm. It packages a Tor proxy and connects to a hidden-service command-and-control server. Targets are users who receive or execute the malicious LNK-related payloads. The use of Tor for C2 increases resilience and makes attribution and blocking harder. Users should avoid opening unknown USB shortcuts and ensure endpoints are protected against script-based malware.

Recommended Action

Review affected assets, schedule urgent remediation, and monitor related indicators.

Topics

#cryptocurrency #windows #clipper #hidden-service #tor-c2 #usb-lnk
Original reporting The Hacker News Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2
Open original source

Related Pulse Signals

View all signals
Critical · Cybersecurity Gentlemen ransomware adds EDR-killing techniques to evade defenses Medium · Cybersecurity Nintendo confirms survey data theft via TinyPulse service High · Cybersecurity USB worm delivers clipboard-stealing crypto malware via Windows shortcuts High · Cybersecurity SAVE voter-data centralization risks disenfranchisement and breaches