Microsoft has identified an ongoing malware campaign targeting Windows users with a cryptocurrency clipper that silently replaces copied wallet addresses with attacker-controlled ones. The malware, active since February 2026, uses Windows Script Host and ActiveX to launch a bundled Tor proxy, communicating with a dark web command-and-control server to evade detection. The use of USB LNK worm propagation significantly widens the potential blast radius, including air-gapped or enterprise environments where USB devices are in common use.

Security Architect’s Take: Review and enforce endpoint controls to block Windows Script Host (wscript.exe/cscript.exe) and ActiveX execution via Group Policy or Defender Attack Surface Reduction rules, and implement USB device restrictions through Intune or equivalent MDM to prevent LNK-based worm propagation across enterprise environments.

Original advisory: Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2