top of page

Trojanized TOR installers used to target Eastern European cryptocurrency users with clipper malware

In September of 2022, a new type of malware began circulating in Russia and Eastern Europe. This malware, known as a "clipper," is designed to siphon cryptocurrencies from its victims byTrojanizing installers for the TOR anonymity browser. The clipper works by injecting itself into the victim's clipboard, and then scanning the contents for any cryptocurrency wallet addresses. If a match is found, the address is replaced with one from a hardcoded list of replacement addresses, selected at random. This allows the attacker to redirect the victim's cryptocurrency payments to their own wallet. It's not immediately clear how the installers are distributed, but evidence points to the use of torrent downloads or some unknown third-party source since the Tor Project's website has been subjected to blockades in Russia in recent years. Regardless of the method used, the installer launches the legitimate executable, while also simultaneously launching the clipper payload that's designed to monitor the clipboard content. Each sample is packed with thousands of possible replacement addresses that's selected at random. It also comes with the ability to disable the malware by means of a special hotkey combination (Ctrl+Alt+F10), an option likely added during the testing phase. This new malware is a serious threat to anyone who uses the TOR anonymity browser, as it can be difficult to detect and can result in the loss of a significant amount of cryptocurrency. If you think you may have been infected, be sure to check your clipboard contents for any suspicious wallet addresses.


bottom of page