A cryptocurrency-stealing malware campaign propagates via malicious .lnk shortcuts on USB drives and operates as a portable backdoor that uses Windows Script Host and ActiveX to launch a bundled Tor proxy, communicating with a hidden-service C2 over Tor and avoiding traditional IP-based infrastructure.

The attack chain comprises two components: a worm that spreads through USB-based .lnk shortcuts and a clipper/stealer that monitors the clipboard to replace wallet addresses, captures screenshots, and can execute remote code via EVAL instructed by the C2.

The malware uses a dual-layer setup to stay hidden: components are disguised under renamed Tor binaries, and the overall operation relies on multi-layer obfuscation and anti-analysis checks to hinder research.

Defense evasion includes obfuscation of Python scripts with PyArmor, dual-layer obfuscation of JavaScript payloads, anti-analysis checks, and hiding components behind renamed Tor binaries.

MITRE ATT&CK techniques observed include initial access via Removable Media replication, EVAL-driven remote code execution, process discovery through anti-analysis gates, persistence via Scheduled Tasks, obfuscation, clipboard and screen-capture collection, and Tor-based C2 communication.

Defensive signals highlighted include suspicious script interpreters spawning child processes, localhost:9050 proxy use, recurring screen captures, clipboard monitoring, and detections such as Trojan:Win32/CryptoBandits.A.

Defenses should focus on behavioral indicators over signatures, including PowerShell screen capture, abuse of WScript/CScript, disabling AutoRun/AutoPlay on removable media, blocking LNK execution from removable drives, restricting wscript.exe/cscript.exe, and monitoring clipboard and screen capture on devices handling sensitive data.

Detection should emphasize unusual process activity and unexpected tool launches, with attention to suspicious child processes to enable early infection identification.

C2 endpoints operate through onion domains, with beaconing, payload download, and file uploads (screenshots) via HTTP over a local SOCKS5 proxy; commands include EVAL to execute remote code and signals such as GUID, SEED, PKEY, REPL, and GOOD.

Stolen data and screenshots are exfiltrated to attacker-controlled servers through the Tor network using a SOCKS5 proxy to anonymize traffic.

The campaign saves stolen seed phrases locally, repeatedly attempts network transmission via Tor until acknowledged, and deletes local backups after successful exfiltration.

Active since at least February, the campaign leverages Tor to conceal communications and emphasizes monitoring USB-based threats as well as anomalous clipboard and screen-capture activity in security monitoring.