Crypto Clipper Uses Tor and Worm-like Propagation for Persistence and Control

    Thursday, June 18, 2026 In: Threat Research Print

    Date: 06/18/2026

    Severity: High

    Summary

    Researchers identified a cryptocurrency clipper malware that spreads through malicious  .LNK shortcut files  and propagates like a worm via removable drives. It launches a bundled  Tor client  and communicates with hidden  .onion C2 servers  through a local SOCKS5 proxy (localhost:9050) to evade detection. The malware monitors the clipboard to steal and replace cryptocurrency wallet addresses, captures screenshots, and can receive remote commands from attackers. Its use of Tor, persistence mechanisms, and worm-like spreading makes it more advanced than a typical crypto clipper.

    Indicators of Compromise (IOC) List

    Domain/URL:

    cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion

    gfoqsewps57xcyxoedle2gd53o6jne6y5nq5eh25muksqwzutzq7b3ad.onion

    he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad.onion

    lyhizqy2js2eh6ufngkbzntouiikdek5zsdj3qwa22b4z6knpqorgiad.onion

    j3bv7g27oramhbxxuv6gl3dcyfmf44qnvju3offdyrap7hurfprq74qd.onion

    shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion

    7goms4byw26kkbaanz5a5u5234gusot7rp5imzc3ozh66wwcvmcudjid.onion

    facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion

    wt26llpl5k6gok3vnaxmucwgzv2wk3l7nuibbh25clghrtus3p5ctsid.onion

    ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion

    Hash:

    7630debd35cac6b7d58c4427695579b3e3a8b1cc462f523234cd6c698882a68c

    a7abf1d9d6686af1cefcd60b17a312e7eb8cfe267def1ec34aeab6128c811630

    23c1e673f315dafa14b73034a90dd3d393a984451ff6601b8be8142be6487b43

    cf9fc891ea5ca5ecd8113ef3e69f6f52ff538b6cccbdaa9559106fc72bc6da30

    100407796028bf3649752d9d2a67a0e4394d752eb8de86daa42920e814f3fae8

    d14b80cbd1a19d4ad0473a0661297f8fdf598e81ff6c4ab24e212dcad2e54b3f

    9d90f54ae36c6c5435d5b8bed40faf54cc91f6db28574a6310b5ffaeb0362e96

    67fc5cf395e28294bbb91ed0e954fdf2e80ebd9119022a115a42c286dc8bacf5

    0020d23b0f9c5e6851a7f737af73fd143175ee47054931166369edd93338538a

    35a6bc44b176a050fd6824904b7604f0f45b0fdfa26bf9500b9e05973b387cfd

    c824630154ac4fdfce94ded01f037c305eab51e9bef3f493c60ff3184a640502

    d43bf94f0cb0ab97c88113b7e07d1a4024d1610617b5ad05882b1dbab89e15ba

    b2777b73a4c33ac6a409d475057843be6b5d32262ef28a1f1ff5bb52e3834c5f

    7787a9a7d8ae393aa32f257d083903c4dc9b97a1e5b0458c4cd480d4f3cb5b05

    f3b54984caca95fd496bcfe5d7db1611b08d2f5b7d250b43b430e5d76393f9e0

    20db98af3037b197c8a846dbf17b87fc6f049c3e0d9a188f9b9a74d3916dd5e1

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    sha256hash IN ("b2777b73a4c33ac6a409d475057843be6b5d32262ef28a1f1ff5bb52e3834c5f","d14b80cbd1a19d4ad0473a0661297f8fdf598e81ff6c4ab24e212dcad2e54b3f","67fc5cf395e28294bbb91ed0e954fdf2e80ebd9119022a115a42c286dc8bacf5","7787a9a7d8ae393aa32f257d083903c4dc9b97a1e5b0458c4cd480d4f3cb5b05","0020d23b0f9c5e6851a7f737af73fd143175ee47054931166369edd93338538a","35a6bc44b176a050fd6824904b7604f0f45b0fdfa26bf9500b9e05973b387cfd","23c1e673f315dafa14b73034a90dd3d393a984451ff6601b8be8142be6487b43","a7abf1d9d6686af1cefcd60b17a312e7eb8cfe267def1ec34aeab6128c811630","d43bf94f0cb0ab97c88113b7e07d1a4024d1610617b5ad05882b1dbab89e15ba","9d90f54ae36c6c5435d5b8bed40faf54cc91f6db28574a6310b5ffaeb0362e96","f3b54984caca95fd496bcfe5d7db1611b08d2f5b7d250b43b430e5d76393f9e0","c824630154ac4fdfce94ded01f037c305eab51e9bef3f493c60ff3184a640502","20db98af3037b197c8a846dbf17b87fc6f049c3e0d9a188f9b9a74d3916dd5e1","100407796028bf3649752d9d2a67a0e4394d752eb8de86daa42920e814f3fae8","cf9fc891ea5ca5ecd8113ef3e69f6f52ff538b6cccbdaa9559106fc72bc6da30","7630debd35cac6b7d58c4427695579b3e3a8b1cc462f523234cd6c698882a68c")

    Detection Query 2 :

    domainname like "facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion" or url like "facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion" or siteurl like "facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion" or domainname like "lyhizqy2js2eh6ufngkbzntouiikdek5zsdj3qwa22b4z6knpqorgiad.onion" or url like "lyhizqy2js2eh6ufngkbzntouiikdek5zsdj3qwa22b4z6knpqorgiad.onion" or siteurl like "lyhizqy2js2eh6ufngkbzntouiikdek5zsdj3qwa22b4z6knpqorgiad.onion" or domainname like "ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion" or url like "ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion" or siteurl like "ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion" or domainname like "gfoqsewps57xcyxoedle2gd53o6jne6y5nq5eh25muksqwzutzq7b3ad.onion" or url like "gfoqsewps57xcyxoedle2gd53o6jne6y5nq5eh25muksqwzutzq7b3ad.onion" or siteurl like "gfoqsewps57xcyxoedle2gd53o6jne6y5nq5eh25muksqwzutzq7b3ad.onion" or domainname like "cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion" or url like "cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion" or siteurl like "cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion" or domainname like "he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad.onion" or url like "he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad.onion" or siteurl like "he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad.onion" or domainname like "7goms4byw26kkbaanz5a5u5234gusot7rp5imzc3ozh66wwcvmcudjid.onion" or url like "7goms4byw26kkbaanz5a5u5234gusot7rp5imzc3ozh66wwcvmcudjid.onion" or siteurl like "7goms4byw26kkbaanz5a5u5234gusot7rp5imzc3ozh66wwcvmcudjid.onion" or domainname like "wt26llpl5k6gok3vnaxmucwgzv2wk3l7nuibbh25clghrtus3p5ctsid.onion" or url like "wt26llpl5k6gok3vnaxmucwgzv2wk3l7nuibbh25clghrtus3p5ctsid.onion" or siteurl like "wt26llpl5k6gok3vnaxmucwgzv2wk3l7nuibbh25clghrtus3p5ctsid.onion" or domainname like "j3bv7g27oramhbxxuv6gl3dcyfmf44qnvju3offdyrap7hurfprq74qd.onion" or url like "j3bv7g27oramhbxxuv6gl3dcyfmf44qnvju3offdyrap7hurfprq74qd.onion" or siteurl like "j3bv7g27oramhbxxuv6gl3dcyfmf44qnvju3offdyrap7hurfprq74qd.onion" or domainname like "shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion" or url like "shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion" or siteurl like "shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion"

    Reference:    

    https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/


    Tags

    MalwarecryptocurrencyLNKWormTORStealer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.