Microsoft uncovers stealthy backdoor targeting crypto wallets

Microsoft has uncovered a new strain of self-propagating malware specifically engineered to pilfer cryptocurrency credentials from infected devices. The worm spreads via USB drives and funnels stolen data to attacker-controlled servers.

Dubbed Crypto Clipper, this malware actively monitors a device’s clipboard for patterns matching wallet addresses or seed phrases. Once detected, it captures five screenshots over a ten-second window. The stolen credentials and images are then exfiltrated through Tor, the anonymous routing network that obscures both the sending and receiving IP addresses. Crypto Clipper establishes this connection using a SOCKS5 proxy, which routes traffic through a proxy server before forwarding it to its final destination.

A lightweight backdoor with stealthy persistence

“The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure,” Microsoft explained on Thursday. “Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor.”

By bypassing conventional command-and-control setups and relying on Tor for anonymity, Crypto Clipper represents a more elusive threat. Its worm-like propagation through USB drives means it can spread rapidly within an organization, while the combination of credential theft and remote code execution gives attackers a persistent foothold. Microsoft’s discovery underscores the growing sophistication of malware aimed at the cryptocurrency ecosystem, where even a simple clipboard monitor can evolve into a powerful backdoor.