TechFlow news: On June 19, Microsoft’s Threat Intelligence Team disclosed a Windows clipboard cryptojacking trojan that has been active since February 2026. This malware combines “worm-like propagation + clipboard hijacking + Tor-based anonymous communication” to target digital asset users.
Microsoft’s analysis indicates that the malicious program spreads across removable storage devices via disguised shortcut (.lnk) files and leverages WScript and ActiveX to execute script logic—automatically deploying a local Tor client to enable anonymous command-and-control and data exfiltration. The attack chain incorporates multiple malicious capabilities: persistent clipboard monitoring, theft of mnemonic phrases and private keys, screenshot capture and upload, and “address replacement” whenever users copy cryptocurrency wallet addresses—replacing legitimate addresses with attacker-controlled ones to hijack funds.
In addition, this trojan exhibits worm-like propagation behavior, automatically replicating itself onto USB drives and other devices, creating scheduled tasks for persistence, and incorporating basic anti-analysis techniques (e.g., detecting Task Manager to evade debugging).
For detection, Microsoft has classified it as part of the Trojan:Win32/CryptoBandits family and implements blocking based on behavioral indicators—including anomalous WScript invocation, proxy traffic to localhost:9050, and PowerShell-based screenshot activity. Security researchers recommend prioritizing protection of script execution paths and monitoring for anomalous local proxy traffic.
