Key Findings Windows-based clipper malware campaign active since February 2026 targets cryptocurrency wallets through USB-distributed LNK shortcut files Malware uses bundled Tor client with SOCKS5 proxy to communicate with hidden-service C2 servers, avoiding traditional IP-based infrastructure detection Attack chain involves worm component that replicates across USB drives by masking itself as legitimate documents like DOC, XLSX, and PDF files Clipper steals BIP39 seed phrase