[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fNOr3vwapvoezMXz6ZxJvNEQ7CRJDXyvld1_TrSOGB2I":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":26,"created_at":27,"published_at":28,"article":29,"tags":33,"podcasts":52},"479b0e7d-28f4-471f-b857-1ee21782e143","usb-lnk-worm-deploys-crypto-clipper-via-tor-based-c2","afeabea2-ca31-411f-91dc-cc94227df956","USB LNK Worm Deploys Crypto Clipper via Tor-Based C2","This campaign exploits user interaction with USB devices to spread a LNK-based worm that silently deploys a cryptocurrency clipper, demonstrating how physical media remains a potent initial access vector. The malware substitutes clipboard wallet addresses and exfiltrates screenshots, meaning victims lose funds without obvious indicators of compromise. By routing C2 traffic through a bundled Tor proxy, the attackers effectively evade network-level detection and domain blocklists. This matters because cryptocurrency transactions are irreversible, making prevention and early detection the only meaningful defenses — post-theft recovery is rarely possible.","**Immediate actions:**\n- Disable AutoRun\u002FAutoPlay for all removable media via Group Policy to prevent LNK worm execution on USB insertion.\n- Block or restrict Tor traffic at the network perimeter using firewall rules and DNS filtering to cut off C2 communication.\n- Deploy endpoint detection rules that alert on clipboard-monitoring processes and unexpected screenshot activity.\n\n**Long-term improvements:**\n- Enforce application whitelisting (e.g., via Windows Defender Application Control) to prevent execution of unsigned or unknown binaries dropped by worms.\n- Implement USB device control policies that restrict which removable media can be mounted based on device ID or hardware class.\n- Conduct regular user training on the risks of untrusted USB devices, including simulated USB drop exercises.\n\n**Detection measures:**\n- Monitor and alert on processes that access clipboard APIs at high frequency, particularly those spawned from removable media paths.\n- Establish network baseline monitoring to flag anomalous encrypted outbound connections, especially to known Tor entry nodes.\n- Enable and centralize Windows Event Logs (Process Creation, Network Connections) and feed them into a SIEM for correlation against IOC feeds.",[12,13,14,15,16,17,18,19,20,21,22,23,24,25],"CIS Control 10 – Malware Defenses","CIS Control 13 – Network Monitoring and Defense","CIS Control 6 – Access Control Management (removable media)","NIST SP 800-53 SC-18 – Mobile Code","NIST SP 800-53 SI-3 – Malicious Code Protection","NIST SP 800-53 AU-12 – Audit Record Generation","NIST SP 800-53 SC-7 – Boundary Protection","NIST Cybersecurity Framework DE.CM-1 – Network Monitoring","NIST Cybersecurity Framework PR.AT-1 – User Awareness Training","ISO\u002FIEC 27001 A.8.19 – Installation of Software on Operational Systems","ISO\u002FIEC 27001 A.6.7 – Remote Working (endpoint hygiene)","MITRE ATT&CK T1115 – Clipboard Data","MITRE ATT&CK T1091 – Replication Through Removable Media","MITRE ATT&CK T1090.003 – Proxy: Multi-hop Proxy (Tor)","published","2026-06-18T16:20:42.193525+00:00","2026-06-18T16:20:41.907+00:00",{"id":7,"url":30,"slug":31,"title":32},"https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fmicrosoft-details-windows-clipper.html","microsoft-details-windows-clipper-malware-campaign-using-usb-lnk-worm-and-tor-ba-d25d14","Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2",[34,40,46],{"id":35,"name":36,"slug":37,"description":38,"color":39},"1732a005-556e-411c-a9db-5edec3058571","Logging & Monitoring","logging-monitoring","Missing logs, no alerting, blind spots","#a855f7",{"id":41,"name":42,"slug":43,"description":44,"color":45},"7261eb8f-acd4-4d93-a489-7fdd652ec0ea","Security Awareness","security-awareness","Phishing, social engineering, human error","#22c55e",{"id":47,"name":48,"slug":49,"description":50,"color":51},"859cf0ad-a7e9-42bb-a75d-bac6511fa5d5","Configuration Management","configuration-management","Misconfigs, default credentials, exposed services","#eab308",[]]