EXECUTIVE SUMMARY:
A newly observed cryptocurrency-focused malware campaign, known as Crypto Clipper, targets Windows systems by monitoring clipboard activity and covertly replacing legitimate cryptocurrency wallet addresses with attacker-controlled alternatives. The malware is designed to steal digital assets by redirecting transactions without alerting users. Beyond wallet substitution, the threat incorporates screenshot capture, remote command execution, and stealth capabilities that enable long-term access to compromised devices while maintaining a low operational profile.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A newly observed cryptocurrency-focused malware campaign, known as Crypto Clipper, targets Windows systems by monitoring clipboard activity and covertly replacing legitimate cryptocurrency wallet addresses with attacker-controlled alternatives. The malware is designed to steal digital assets by redirecting transactions without alerting users. Beyond wallet substitution, the threat incorporates screenshot capture, remote command execution, and stealth capabilities that enable long-term access to compromised devices while maintaining a low operational profile.[emaillocker id="1283"]
Crypto Clipper is distributed through malicious Windows shortcut files and demonstrates worm-like propagation by copying itself to removable drives and accessible locations, increasing its ability to spread between systems. Once executed, the malware establishes persistence through scheduled tasks and launches a bundled Tor client that communicates with hidden command-and-control infrastructure via a local SOCKS5 proxy. The malware employs obfuscation and scripting techniques to evade detection while collecting clipboard data, capturing screenshots, and receiving additional instructions from remote operators. By continuously monitoring copied cryptocurrency addresses and replacing them with attacker-controlled wallets, the malware can silently redirect funds intended for legitimate recipients.
This campaign demonstrates the evolution of cryptocurrency-focused malware from simple clipboard manipulators into multifunctional threats capable of persistence, remote control, data theft, and self-propagation. By integrating Tor-based communications, worm-like distribution, and wallet-address substitution, the malware increases both its operational resilience and financial impact. Organizations should prioritize monitoring for suspicious script execution, unauthorized Tor activity, clipboard manipulation behaviors, and unusual screenshot or data-exfiltration activity to reduce the risk of compromise and cryptocurrency theft.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| T1053.005 | Scheduled Task/Job | Scheduled Task | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Stealth | T1027.013 | Obfuscated Files or Information | Encrypted/Encoded File |
| T1218.005 | System Binary Proxy Execution | Mshta | |
| Discovery | T1057 | Process Discovery | - |
| Lateral Movement | T1091 | Replication Through Removable Media | - |
| Collection | T1115 | Clipboard Data | - |
| T1113 | Screen Capture | - | |
| Command and Control | T1090.003 | Proxy | Multi-hop Proxy |
| T1573.001 | Encrypted Channel | Symmetric Cryptography | |
| T1105 | Ingress Tool Transfer | - | |
| Impact | T1565.001 | Data Manipulation | Stored Data Manipulation |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Collection | B0028 | Cryptocurrency |
| E1056 | Input Capture | |
| E1113 | Screen Capture | |
| Command and Control | B0031 | Domain Name Generation |
| B0030 | C2 Communication | |
| Defense Evasion | B0025 | Conditional Execution |
| E1027 | Obfuscated Files or Information | |
| F0001 | Software Packing | |
| E1564 | Hide Artifacts | |
| F0005 | Hidden Files and Directories | |
| Discovery | B0013 | Analysis Tool Discovery |
| Execution | B0011 | Remote Commands |
| Exfiltration | E1020 | Automated Exfiltration |
| Impact | B0018 | Resource Hijacking |
| B0019 | Manipulate Network Traffic | |
| Lateral Movement | E1195 | Supply Chain Compromise |
| B0020 | Send Email | |
| Persistence | B0035 | Shutdown Event |
| F0012 | Registry Run Keys / Startup Folder | |
| F0013 | Bootkit |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]