# [CRIT] Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2 **Source:** The Hacker News **Published:** 2026-06-18 **Article:** https://thehackernews.com/2026/06/microsoft-details-windows-clipper.html ## Threat Profile Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2  Ravie Lakshmanan  Jun 18, 2026 Malware / Cryptocurrency Microsoft has disclosed details of a Windows-based cryptocurrency clipper campaign that has targeted users since February 2026. "The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 [command-and-control] server," the Microsoft Defender Security Research Team sai… ## Indicators of Compromise (high-fidelity only) - _No high-fidelity IOCs in the RSS summary._ If the source publishes a technical write-up with defanged IOCs in the body, those would be picked up automatically on the next pipeline run. ## MITRE ATT&CK Techniques - **T1071.001** — Web Protocols - **T1071.004** — DNS - **T1539** — Steal Web Session Cookie - **T1555.003** — Credentials from Web Browsers - **T1053.005** — Scheduled Task - **T1059.001** — PowerShell - **T1027** — Obfuscated Files or Information - **T1091** — Replication Through Removable Media - **T1204.001** — User Execution: Malicious Link - **T1059.005** — Visual Basic - **T1059.007** — JavaScript - **T1105** — Ingress Tool Transfer - **T1053.005** — Scheduled Task/Job: Scheduled Task - **T1547** — Boot or Logon Autostart Execution - **T1090.003** — Proxy: Multi-hop Proxy - **T1572** — Protocol Tunneling - **T1036.005** — Masquerading: Match Legitimate Name or Location - **T1113** — Screen Capture ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### USB-borne LNK spawns wscript/cscript referencing removable drive path `UC_15_4` · phase: **delivery** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=explorer.exe Processes.process_name IN ("wscript.exe","cscript.exe") (Processes.process_path="*.lnk*" OR Processes.process="*.lnk*" OR Processes.process="*\\:*.vbs*" OR Processes.process="*\\:*.js*") by Processes.dest Processes.user Processes.parent_process Processes.process Processes.process_path | `drop_dm_object_name(Processes)` | where match(process,"(?i)[D-Z]:\\\\") ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName =~ "explorer.exe" | where FileName in~ ("wscript.exe","cscript.exe") | where ProcessCommandLine matches regex @"(?i)[D-Z]:\\" or ProcessCommandLine has_any (".lnk",".vbs",".js",".vbe",".jse") | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine | order by Timestamp desc ``` ### WScript/CScript spawning curl, cmd, or PowerShell (Microsoft-recommended clipper signal) `UC_15_5` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("wscript.exe","cscript.exe") Processes.process_name IN ("curl.exe","cmd.exe","powershell.exe","pwsh.exe","bitsadmin.exe","certutil.exe","wget.exe","mshta.exe","regsvr32.exe","rundll32.exe") by Processes.dest Processes.user Processes.parent_process Processes.process Processes.process_path | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("wscript.exe","cscript.exe") | where FileName in~ ("curl.exe","cmd.exe","powershell.exe","pwsh.exe","bitsadmin.exe","certutil.exe","wget.exe","mshta.exe","regsvr32.exe","rundll32.exe") | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, ParentScript = InitiatingProcessCommandLine, ParentFolder = InitiatingProcessFolderPath, ChildProcess = FileName, ChildCmd = ProcessCommandLine | order by Timestamp desc ``` ### Scheduled task registers wscript/cscript-launched payload for clipper persistence `UC_15_6` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process="*/Create*" OR Processes.process="* /CREATE *") (Processes.process="*wscript*" OR Processes.process="*cscript*") (Processes.process="*\\AppData\\*" OR Processes.process="*\\Temp\\*" OR Processes.process="*\\ProgramData\\*" OR Processes.process="*\\Public\\*" OR Processes.process="*\\Users\\Public\\*") by Processes.dest Processes.user Processes.parent_process Processes.process | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where FileName =~ "schtasks.exe" | where ProcessCommandLine has_any ("/Create","/CREATE") | where ProcessCommandLine has_any ("wscript","cscript") | where ProcessCommandLine has_any ("\\AppData\\","\\Temp\\","\\ProgramData\\","\\Public\\","\\Users\\Public\\") | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, Parent = InitiatingProcessFileName, ParentCmd = InitiatingProcessCommandLine | order by Timestamp desc ``` ### Local SOCKS5 listener on Tor-default port from non-browser binary (bundled Tor proxy) `UC_15_7` · phase: **c2** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.dest_port=9050 OR All_Traffic.dest_port=9150) (All_Traffic.dest_ip="127.0.0.1" OR All_Traffic.dest_ip="::1") by All_Traffic.src All_Traffic.dest_port All_Traffic.app All_Traffic.process_name | `drop_dm_object_name(All_Traffic)` | where NOT (process_name IN ("tor.exe","firefox.exe","tor-browser.exe","brave.exe")) ``` **Defender KQL:** ```kql let TorPorts = dynamic([9050, 9150]); let KnownTorClients = dynamic(["tor.exe","firefox.exe","tor-browser.exe","brave.exe","torbrowser.exe"]); DeviceNetworkEvents | where Timestamp > ago(7d) | where ActionType in ("ConnectionSuccess","ConnectionAttempt","ListeningConnectionCreated") | where RemotePort in (TorPorts) or LocalPort in (TorPorts) | where RemoteIP in ("127.0.0.1","::1") or LocalIP in ("127.0.0.1","::1") | where InitiatingProcessFileName !in~ (KnownTorClients) | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessSHA256, LocalIP, LocalPort, RemoteIP, RemotePort, ActionType | order by Timestamp desc ``` ### PowerShell screen capture via System.Drawing CopyFromScreen (Microsoft clipper signal) `UC_15_8` · phase: **actions** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("powershell.exe","pwsh.exe") (Processes.process="*System.Drawing*" OR Processes.process="*CopyFromScreen*" OR Processes.process="*Drawing.Bitmap*" OR Processes.process="*Drawing.Graphics*") by Processes.dest Processes.user Processes.parent_process Processes.process | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where FileName in~ ("powershell.exe","pwsh.exe") | where ProcessCommandLine has_any ("System.Drawing","CopyFromScreen","Drawing.Bitmap","Drawing.Graphics","FromImage","PrimaryScreen.Bounds") | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, Parent = InitiatingProcessFileName, ParentCmd = InitiatingProcessCommandLine | order by Timestamp desc ``` ### Beaconing — periodic outbound to small set of destinations `UC_BEACONING` · phase: **c2** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, values(All_Traffic.dest_port) AS ports from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="allowed" AND All_Traffic.dest_category!="internal" by _time span=10s, All_Traffic.src, All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | streamstats current=f last(_time) AS prev_time by src, dest | eval delta = _time - prev_time | stats avg(delta) AS avg_delta stdev(delta) AS sd_delta count by src, dest | where count > 30 AND sd_delta < 5 AND avg_delta>=30 AND avg_delta<=600 | sort - count ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(1d) | where RemoteIPType == "Public" and ActionType == "ConnectionSuccess" | project DeviceName, RemoteIP, RemotePort, Timestamp | sort by DeviceName asc, RemoteIP asc, RemotePort asc, Timestamp asc | extend prev_dev = prev(DeviceName, 1), prev_ip = prev(RemoteIP, 1), prev_port = prev(RemotePort, 1), prev_ts = prev(Timestamp, 1) | where DeviceName == prev_dev and RemoteIP == prev_ip and RemotePort == prev_port | extend delta_sec = datetime_diff('second', Timestamp, prev_ts) | summarize conn_count = count(), avg_delta = avg(delta_sec), stdev_delta = stdev(delta_sec) by DeviceName, RemoteIP, RemotePort | where conn_count > 30 and avg_delta between (30.0 .. 600.0) and stdev_delta < 5.0 | order by conn_count desc ``` ### Infostealer — non-browser process accessing browser cookie/login DBs `UC_BROWSER_STEALER` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_path="*\Google\Chrome\User Data\*\Login Data*" OR Filesystem.file_path="*\Google\Chrome\User Data\*\Cookies*" OR Filesystem.file_path="*\Microsoft\Edge\User Data\*\Login Data*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\logins.json*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\cookies.sqlite*") AND NOT Filesystem.process_name IN ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") by Filesystem.dest, Filesystem.process_name, Filesystem.file_path, Filesystem.user | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(7d) | where InitiatingProcessAccountName !endswith "$" | where FolderPath has_any (@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\") | where FileName in~ ("Login Data","Cookies","logins.json","cookies.sqlite") | where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FolderPath, FileName, ActionType ``` ### Scheduled task created with suspicious image / encoded args `UC_SCHEDULED_TASK` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="schtasks.exe" AND Processes.process="*/create*" AND (Processes.process="*powershell*" OR Processes.process="*cmd.exe*" OR Processes.process="*rundll32*" OR Processes.process="*-enc*" OR Processes.process="*FromBase64*" OR Processes.process="*\Users\Public*" OR Processes.process="*\AppData\*") by Processes.dest, Processes.user, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName =~ "schtasks.exe" | where ProcessCommandLine has "/create" | where ProcessCommandLine has_any ("powershell","cmd.exe","rundll32","-enc","FromBase64","\Users\Public","\AppData\") | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName ``` ### PowerShell encoded / obfuscated command `UC_PS_OBFUSCATED` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("powershell.exe","pwsh.exe") AND (Processes.process="*-enc *" OR Processes.process="*EncodedCommand*" OR Processes.process="*FromBase64String*" OR Processes.process="*-nop*" OR Processes.process="*-w hidden*" OR Processes.process="*Invoke-Expression*" OR Processes.process="*IEX(*" OR Processes.process="*DownloadString*" OR Processes.process="*Net.WebClient*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("powershell.exe","pwsh.exe") | where ProcessCommandLine matches regex @"(?i)(-enc|encodedcommand|frombase64string|-nop|-w\s+hidden|invoke-expression|iex\s*\(|downloadstring|net\.webclient)" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine ``` ## Why this matters Severity classified as **CRIT** based on: 9 use case(s) fired, 18 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.