Crypto Clipper Malware 20: How Tor-Routed C2 and Local SOCKS5 Proxy Turn a Stealer into a Lightweight Backdoor + Video

Listen to this Post

Featured Image

Introduction

Since February 2026, a sophisticated cryptocurrency clipper malware campaign has been silently compromising Windows systems through an unlikely vector: malicious shortcut (.lnk) files distributed on USB storage devices. What sets this threat apart from traditional crypto stealers is its ingenious use of a portable Tor client and a local SOCKS5 proxy to route all command-and-control (C2) communications through the anonymity network. By renaming the Tor binary to `ugate.exe` and tunneling traffic through `localhost:9050` to `.onion` domains, the malware effectively blinds traditional DNS-based and IP-based security controls, transforming a financially motivated data stealer into a lightweight remote backdoor capable of executing arbitrary code on command.

Learning Objectives

  • Understand the complete attack chain of the Crypto Clipper malware, from USB-based initial access to Tor-routed C2 communication
  • Master behavioral detection techniques to identify Tor proxy usage, clipboard monitoring, and script-based malicious activity
  • Learn practical defense strategies including Group Policy hardening, PowerShell monitoring, and network-level Tor traffic detection
  1. Understanding the Attack Chain: From USB to Tor-Routed C2

The Crypto Clipper malware operates through a meticulously orchestrated multi-stage attack chain that begins with physical media and ends with anonymous remote control.

Initial Access via Malicious LNK Files

The infection vector relies on social engineering through USB storage devices. When a victim plugs in an infected USB drive and clicks what appears to be a legitimate document file (.doc, .xlsx, .pdf), they actually execute a malicious .lnk shortcut. The malware performs a crucial check: it verifies whether the system is already infected and halts execution if it detects an existing payload. If the system is clean, the malware fetches encrypted payloads from the C2 server through the Tor network.

Dual-Component Architecture

Once deployed, the malware installs two distinct components:

  1. Worm Component: Scans the system for document files, hides the originals, and replaces them with malicious shortcuts bearing identical names. It creates scheduled tasks that monitor for newly connected USB drives, automatically copying itself to any removable media it detects.

  2. Clipper/Stealer Component: This is the core payload that harvests cryptocurrency wallet information. It operates through Windows Script Host and ActiveXObject, running in a continuous loop that checks the clipboard every 500 milliseconds.

Tor-Routed C2 Communication

The malware’s most sophisticated feature is its network architecture. Instead of contacting a standard IP-based C2 server, it drops a renamed Tor binary (ugate.exe) and launches it in a hidden window. After waiting approximately 60 seconds for Tor to bootstrap, the malware generates a unique victim GUID and registers the infected device with a hidden-service C2 server. All subsequent communication—including stolen data exfiltration, screenshot uploads, and C2 polling—occurs through the local SOCKS5 proxy at `localhost:9050` to `.onion` domains.

Remote Code Execution Capability

Perhaps most concerning is the malware’s ability to execute arbitrary code. If the C2 server returns an `EVAL` response, the malware downloads JavaScript content into a file named `cfile` and executes it on the infected machine. This transforms the clipper from a passive data stealer into an active backdoor capable of deploying additional payloads, exfiltrating sensitive files, or conducting lateral movement.

2. Behavioral Detection: Identifying Infections Without Signatures

Microsoft researchers emphasize that the strongest detection signals for this threat are behavioral rather than signature-based. Traditional antivirus signatures are ineffective because the malware uses heavily obfuscated JavaScript and PyArmor-protected binaries.

Key Behavioral Indicators

Process Anomalies to Monitor:

| Indicator | What to Look For |

|–||

| Script interpreters spawning unexpected child processes | `wscript.exe` or `cscript.exe` launching curl.exe, powershell.exe, or `cmd.exe` |
| Local proxy usage | Network connections to `localhost:9050` or any process binding to port 9050 |
| Renamed Tor binary | Any process named `ugate.exe` or unexpected executables with Tor-related command-line arguments |
| Screen capture activity | PowerShell commands invoking screen-capture APIs |
| Clipboard inspection | Frequent access to clipboard contents, especially patterns matching cryptocurrency addresses |

PowerShell Commands for Detection

Security analysts can use the following PowerShell commands to hunt for indicators of compromise:

Detect localhost:9050 connections:

Get-1etTCPConnection -LocalPort 9050 | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess
Get-Process -Id (Get-1etTCPConnection -LocalPort 9050).OwningProcess | Select-Object ProcessName, Id, Path

Identify script engines launching suspicious child processes:

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | 
Where-Object { $_.Message -match "curl|cmd|schtasks" } | 
Select-Object TimeCreated, Message

Detect renamed Tor binaries:

Get-Process | Where-Object { $<em>.ProcessName -eq "ugate" -or $</em>.Path -match "tor" } | 
Select-Object ProcessName, Id, Path, StartTime

Check for suspicious scheduled tasks:

schtasks /query /fo CSV /v | ConvertFrom-CSV | 
Where-Object { $<em>.TaskName -match "update|security|windows" -and $</em>.'Task To Run' -match "wscript|cscript|powershell" }

Linux-Based Network Detection (For Security Appliances)

For organizations running Linux-based network monitoring tools, the following commands can help detect Tor proxy activity:

 Monitor for Tor-related DNS queries
tcpdump -i any -1 port 53 | grep -E "torproject|onion"

Detect SOCKS5 proxy handshake patterns
tcpdump -i any -1 -A | grep -E "SOCKS|\x05"

Monitor connections to known Tor exit nodes (using exported list)
while read ip; do 
ss -tn | grep -q "$ip" && echo "Tor exit node connection detected: $ip"
done < tor_exit_nodes.txt

3. Network Defense: Blocking Tor-Routed C2 Traffic

Defending against Tor-routed malware requires a multi-layered approach that goes beyond traditional IP blacklisting.

Firewall and IPS Configuration

Block Tor proxy traffic at the network perimeter:

For Cisco ASA/FTD:

access-list OUTSIDE_IN deny tcp any any eq 9050
access-list OUTSIDE_IN deny tcp any any eq 9150
access-list OUTSIDE_IN deny udp any any eq 9050

For Linux iptables:

 Block common Tor ports
iptables -A OUTPUT -p tcp --dport 9050 -j DROP
iptables -A OUTPUT -p tcp --dport 9150 -j DROP
iptables -A OUTPUT -p udp --dport 9050 -j DROP

Block connections to known Tor directory authorities
for ip in 193.23.244.244 131.188.40.189 204.13.164.118; do
iptables -A OUTPUT -d $ip -j DROP
done

Enable SOCKS5 detection rules:

Many enterprise firewalls include IPS rules that detect SOCKS5 proxy activity. These rules typically run in Monitor mode by default; security teams should switch them to Block mode to prevent proxy-based threats.

DNS-Level Protection

Since the malware uses `.onion` domains that bypass traditional DNS resolution, organizations should:

  1. Block Tor exit node traffic: Subscribe to Tor exit node lists and block outbound connections to these IP ranges
  2. Monitor for Tor directory authority queries: DNS queries to `.torproject.org` or `www.theonionrouter.com` are strong indicators of Tor client activity
  3. Implement DNS sinkholing for known malicious domains associated with this campaign

Windows Group Policy Hardening

Microsoft recommends several Group Policy configurations to prevent LNK-based infections:

Disable AutoRun/AutoPlay for removable media:

Computer Configuration → Administrative Templates → Windows Components → AutoPlay Policies
→ Turn off AutoPlay: Enabled (All drives)

Block LNK execution from removable drives:

Computer Configuration → Administrative Templates → System → Removable Storage Access
→ All Removable Storage classes: Deny all access

Restrict script engine execution:

Computer Configuration → Administrative Templates → Windows Components → Windows Script Host
→ Disable Windows Script Host: Enabled

4. Malware Analysis: Unpacking PyArmor-Protected Payloads

The Crypto Clipper malware employs multi-layered obfuscation using PyArmor and PyInstaller to hinder analysis. PyArmor protects Python scripts by encrypting bytecode and applying anti-debugging techniques, while PyInstaller compiles everything into a standalone executable.

Anti-Analysis Evasion Techniques

The malware includes several anti-analysis checks:

  1. Task Manager Detection: The malware queries running processes and exits if `Task Manager` is detected
  2. Sandbox Evasion: Delays execution and checks for virtualized environments
  3. Obfuscated JavaScript: Drops heavily obfuscated JavaScript files into public document folders

Static Analysis Approach

For security researchers analyzing PyArmor-protected samples:

  1. Extract PyInstaller archive: Use tools like `pyinstxtractor.py` to extract the embedded Python bytecode
  2. Identify PyArmor signatures: Look for `pyarmor_runtime` imports and encrypted `.pye` files
  3. Memory dumping: Since PyArmor decrypts code at runtime, memory dumping during execution can reveal the original Python source

Dynamic Analysis Environment

When conducting dynamic analysis:

 Use a isolated Windows VM with network monitoring
 Capture all network traffic
tcpdump -i eth0 -w malware_traffic.pcap

Monitor process creation
sysmon -accepteula -i

Log registry and file system changes
Process Monitor (ProcMon) with filters for:
- Process: wscript.exe, cscript.exe, powershell.exe, cmd.exe
- Path: ugate.exe, tor, .onion
- Registry: Run, RunOnce, Scheduled Tasks

5. Incident Response: Containment and Eradication

When a Crypto Clipper infection is detected, follow this structured incident response approach.

Immediate Containment

Step 1: Isolate the affected system

 Disable network adapter to prevent further C2 communication
Disable-1etAdapter -1ame "Ethernet" -Confirm:$false
 Or use Windows Firewall to block outbound traffic
New-1etFirewallRule -DisplayName "Block All Outbound" -Direction Outbound -Action Block

Step 2: Identify and terminate malicious processes

 Kill the Tor proxy process
Get-Process -1ame "ugate" -ErrorAction SilentlyContinue | Stop-Process -Force
 Kill script engine processes
Get-Process -1ame "wscript","cscript","powershell" | Where-Object { 
(Get-Process -Id $_.Id -IncludeUserName).UserName -1e "SYSTEM" 
} | Stop-Process -Force

Step 3: Remove persistence mechanisms

 List and delete suspicious scheduled tasks
schtasks /query /fo LIST /v | findstr "update security windows"
schtasks /delete /tn "SuspiciousTaskName" /f

Check and remove Run registry keys
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -1ame "MalwareEntry"

Eradication

Remove malicious files:

 Search for and delete ugate.exe and related files
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
Where-Object { $<em>.Name -match "ugate.exe|tor.exe|..lnk" -and $</em>.LastWriteTime -gt (Get-Date).AddDays(-30) } |
Remove-Item -Force

Clear temp and public document folders
Remove-Item -Path "$env:PUBLIC\Documents\" -Recurse -Force -ErrorAction SilentlyContinue
Remove-Item -Path "$env:TEMP\" -Recurse -Force -ErrorAction SilentlyContinue

Post-Incident Analysis

Collect forensic artifacts for further investigation:

  • Windows Event Logs (Security, System, Application, PowerShell Operational)
  • Prefetch files (C:\Windows\Prefetch\.pf)
  • USB device connection history (HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR)
  • Network connection logs
  • Clipboard access logs (if available through EDR)

6. Long-Term Defense Strategy

Endpoint Detection and Response (EDR) Tuning

Configure EDR rules to detect:

  • Process creation events where `wscript.exe` or `cscript.exe` spawn curl, powershell, or `cmd`
    – Network connections to `localhost:9050` or any non-standard port with SOCKS5 protocol indicators
  • File system events involving creation of `.lnk` files on removable drives
  • Registry modifications to Run keys and scheduled task creation

User Awareness Training

Educate users about:

  • Never opening files directly from USB drives without scanning
  • Verifying file extensions (.lnk vs. actual document extensions)
  • Reporting any suspicious behavior (slow performance, unexpected popups, unexplained network activity)

Regular Security Audits

Conduct regular audits of:

  • Scheduled tasks for unauthorized entries
  • Startup folder contents
  • Running processes for renamed or suspicious executables
  • Network connections for unexpected proxy usage

What Undercode Say

  • The Tor-SOCKS5 combination is a game-changer for malware C2 evasion – By routing all traffic through Tor’s anonymity network and using a local SOCKS5 proxy, this malware effectively defeats traditional IP-based blocking, DNS sinkholing, and geographic threat intelligence feeds. Defenders must shift to behavioral detection and application-layer analysis.

  • USB-based propagation remains a highly effective attack vector – Despite years of warnings, organizations continue to struggle with USB security. The worm-like propagation capability of this malware demonstrates that physical media remains a viable and often overlooked attack surface. Group Policy hardening and user education are essential countermeasures.

Analysis

The Crypto Clipper campaign represents a significant evolution in financially motivated malware. By combining clipboard theft with Tor-routed C2 and remote code execution capabilities, threat actors have created a versatile and resilient threat that can adapt to defensive measures. The use of PyArmor and PyInstaller for obfuscation, coupled with anti-analysis checks, indicates a sophisticated development process aimed at evading both static and dynamic analysis.

The most concerning aspect is the remote code execution capability. What begins as a clipboard stealer can quickly escalate into a full system compromise, enabling data exfiltration, lateral movement, and deployment of additional payloads. Organizations handling cryptocurrency transactions or sensitive financial data should prioritize detection of behavioral indicators rather than relying solely on signature-based defenses.

The campaign’s reliance on USB propagation also highlights the importance of physical security controls. While cloud and network-based threats receive significant attention, the humble USB drive remains a potent attack vector that can bypass even the most sophisticated network defenses.

Prediction

  • +1 Expect to see an increase in malware families adopting Tor-routed C2 and SOCKS5 proxy techniques as this campaign demonstrates their effectiveness. The barrier to implementing such techniques is relatively low, and the evasion benefits are substantial.

  • -1 The use of `.onion` domains and Tor exit nodes may eventually lead to increased surveillance and potential blocking of Tor traffic in corporate environments, which could impact legitimate privacy-preserving applications and research.

  • +1 Security vendors will accelerate development of behavioral detection engines that focus on process relationships, local proxy usage, and clipboard monitoring patterns rather than file signatures.

  • -1 Organizations that fail to implement USB security controls and behavioral monitoring will remain vulnerable to this and similar threats, potentially resulting in significant financial losses from cryptocurrency theft.

  • +1 The cybersecurity community will likely develop open-source detection tools specifically targeting Tor-routed malware, making it easier for smaller organizations to defend against these threats.

  • -1 As defenses improve, threat actors may respond by implementing more sophisticated anti-forensics techniques, including encrypted memory-only payloads and deeper integration with legitimate system processes.

  • +1 Microsoft’s detailed analysis and detection guidance will enable Defender for Endpoint customers to detect and block this threat effectively, potentially limiting its long-term impact.

Indicators of Compromise (IOCs) for this campaign:

| Type | Value |

||-|

| SHA-256 | `7630debd35cac6b7d58c4427695579b3e3a8b1cc462f523234cd6c698882a68c` |

| SHA-256 | `a7abf1d9d6686af1cefcd60b17a312e7eb8cfe267def1ec34aeab6128c811630` |

| SHA-256 | `23c1e673f315dafa14b73034a90dd3d393a984451ff6601b8be8142be6487b43` |

| Process | `ugate.exe` (renamed Tor binary) |

| Network | `localhost:9050` (SOCKS5 proxy) |

| Detection Name | `Trojan:Win32/CryptoBandits.A` |

▶️ Related Video (72% Match):

https://www.youtube.com/watch?v=aDX99gzoHsE

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Varshu25 Hackers – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky