HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Tor-Backed Clipper Malware Hijacks Clipboard to Steal Crypto Wallet Seed Phrases via USB Shortcuts

A new clipboard‑stealing malware family spreads via malicious .lnk files on USB drives, captures BIP‑39 seed phrases and private keys, and exfiltrates them through Tor. The incident highlights gaps in endpoint access controls and removable‑media policies that SOC 2 audits require organizations to address.

LiveThreat™ Intelligence · 📅 June 19, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
5 recommended
📰
Source
securityaffairs.com

Tor‑Backed Clipper Malware Hijacks Clipboard to Steal Crypto Wallet Seed Phrases via USB Shortcuts

What Happened – Microsoft Threat Intelligence observed a new “Clipper” malware family that spreads through malicious .lnk shortcut files on USB drives. The payload launches a bundled Tor client, monitors the Windows clipboard at 500 ms intervals, captures BIP‑39 seed phrases, private keys and wallet addresses, replaces copied addresses with attacker‑controlled ones, and exfiltrates the data via hidden‑service .onion C2.

Why It Matters for Compliance & Audit Readiness

  • The attack exploits weak endpoint‑access controls and lack of removable‑media policies—exactly the gaps SOC 2 CC6.1 (Logical Access) and CC6.2 (System Operations) are designed to address.
  • Continuous evidence of control enforcement (e.g., media‑use logging, clipboard‑monitoring alerts) is required to demonstrate due diligence during a SOC 2 audit.
  • Security Awareness Training is a core control (CC1.1) that mitigates user‑driven execution of malicious shortcuts.

Who Is Affected – Financial services, fintech platforms, cryptocurrency exchanges, and any organization whose employees handle crypto wallet credentials on Windows workstations.

Recommended Actions

  • Enforce a policy that blocks execution of .lnk files from removable media and logs any attempt.
  • Deploy endpoint detection that monitors clipboard access for high‑frequency reads of cryptographic material.
  • Harden access controls: least‑privilege for users handling wallet data, MFA for privileged accounts, and regular review of privileged‑access logs.
  • Conduct targeted security‑awareness training on the risks of removable media and clipboard hijacking.
  • Capture and retain logs of Tor‑related network traffic as audit evidence of control monitoring.

Technical Notes – The malware uses Windows Script Host and ActiveX to launch a local SOCKS5 proxy on port 9050, routes all C2 traffic through Tor, and stores stolen seed phrases locally before exfiltration. It also creates scheduled tasks to replicate onto newly inserted USB drives. Source: Security Affairs

📰 Original Source
https://securityaffairs.com/193860/uncategorized/tor-based-clipper-malware-targets-wallet-seed-phrases.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →