{"id":353183,"date":"2026-06-19T09:49:32","date_gmt":"2026-06-19T04:19:32","guid":{"rendered":"https:\/\/ebiztoday.news\/?p=353183"},"modified":"2026-06-19T09:49:32","modified_gmt":"2026-06-19T04:19:32","slug":"microsoft-discovers-recent-lightweight-backdoor-that-steals-cryptocurrency","status":"publish","type":"post","link":"https:\/\/ebiztoday.news\/index.php\/2026\/06\/19\/microsoft-discovers-recent-lightweight-backdoor-that-steals-cryptocurrency\/","title":{"rendered":"Microsoft discovers recent lightweight backdoor that steals cryptocurrency"},"content":{"rendered":"<div>\n<p>Microsoft says it has detected recent self-propagating malware that spreads through USB drives looking for cryptocurrency credentials, which it then sends to attacker-controlled servers.<\/p>\n<p>The corporate named the worm Crypto Clipper since it monitors the contents of device clipboards for patterns consistent with wallet addresses or seed phrases. When found, the malware also takes five screenshots over a 10-second period. Each the credentials and the screenshots are then sent to the attacker through Tor, a network protocol that gives anonymous routing by sending traffic through redundant nodes so logs can\u2019t capture each the sending and receiving IP addresses. Crypto Clipper establishes the Tor connection by utilizing a SOCKS5 proxy, a network protocol that sends traffic through a proxy server, which then forwards it to its final destination.<\/p>\n<h2>A light-weight backdoor<\/h2>\n<p>\u201cThe execution of this clipper is notable since it doesn&#8217;t rely upon a conventional installer or exposed IP-based C2 infrastructure,\u201d Microsoft <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/06\/17\/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control\/\">said<\/a> Thursday. \u201cAs an alternative, it deploys a conveyable Tor client, routes traffic through an area SOCKS5 proxy, and blends data theft with distant code execution, turning a financially motivated stealer into a light-weight backdoor.\u201d<\/p>\n<p>Microsoft said it observed Crypto Clipper spreading through <a href=\"https:\/\/en.wikipedia.org\/wiki\/Shortcut_(computing)#Microsoft_Windows\">.lnk<\/a> file on a USB drive. These files store executable code. When an infected USB drive is plugged right into a device, the code checks whether it&#8217;s already installed on the machine. If it isn\u2019t, the malware downloads it through the Tor proxy. To raised conceal evidence of the worm, the malware scans the infected USB drive and names the .lnk files with similar names.<\/p>\n<\/p><\/div>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft says it has detected recent self-propagating malware that spreads through USB drives looking for cryptocurrency credentials, which it then sends to attacker-controlled servers. The corporate named the worm Crypto Clipper since it monitors the contents of device clipboards for patterns consistent with wallet addresses or seed phrases. When found, the malware also takes five [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":353184,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[19168,6331,1822,5530,92,12720],"class_list":["post-353183","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-backdoor","tag-cryptocurrency","tag-discovers","tag-lightweight","tag-microsoft","tag-steals"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/posts\/353183","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/comments?post=353183"}],"version-history":[{"count":2,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/posts\/353183\/revisions"}],"predecessor-version":[{"id":353186,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/posts\/353183\/revisions\/353186"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/media\/353184"}],"wp:attachment":[{"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/media?parent=353183"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/categories?post=353183"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ebiztoday.news\/index.php\/wp-json\/wp\/v2\/tags?post=353183"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}