Microsoft Discloses Clipper Malware, RoguePlanet Flaw, and DragonForce Teams Abuse in Same Week

Microsoft disclosed three significant security threats this week, covering a cryptocurrency clipper malware campaign exploiting USB drives, a critical unpatched vulnerability in Microsoft Defender granting full system access, and DragonForce ransomware hackers hiding command-and-control traffic inside Microsoft Teams relays.

The clipper campaign has been active since February 2026, according to the Microsoft Defender Security Research Team. The malware intercepts clipboard data, particularly cryptocurrency wallet addresses, and substitutes them with attacker-controlled values. It uses a Windows Shortcut file distributed via USB storage to trigger a worm component that propagates across drives.

USB Worm and Tor-based C2 Infrastructure

The LNK payload scans USB devices for document types such as DOC, XLSX, and PDF. It hides the original files and creates new LNK files with identical names, linking to the worm component. When users open what appears to be a harmless file, they execute the malware instead. The worm component copies new LNK files to other USB drives and establishes scheduled tasks for persistence.

The clipper itself uses Windows Script Host and ActiveXObject to interact with the operating system. It deploys a portable Tor client, routing traffic through a local SOCKS5 proxy. The malware does not rely on a traditional installer or exposed IP-based C2 infrastructure. It polls a hidden-service server every 500 milliseconds, extracting seed phrases and private keys. If the C2 returns an EVAL response, the malware executes remote code supplied by attackers.

• Microsoft says the malware uploads screenshots through the Tor network and exits if Task Manager is detected running.
• Attackers recommended defenders prioritize behavioral detections over static signatures, focusing on PowerShell screen capture and script engine utilities like WScript and CScript.
• Microsoft advises disabling AutoRun and AutoPlay for removable media, blocking LNK execution from removable drives via Group Policy Objects, and restricting use of wscript.exe and cscript.exe.

Unpatched Defender Vulnerability and Teams Relay Abuse

Microsoft confirmed it is working on a patch for RoguePlanet, a zero-day vulnerability in Microsoft Defender that grants attackers full system control on updated Windows machines. The flaw was disclosed by security researchers and does not yet have a public fix available. A timeline for a security update has not been announced.

Separately, ransomware group DragonForce has been abusing Microsoft Teams relay infrastructure to hide traffic from a custom Go-based remote access trojan called Backdoor.Turn. Symantec and Carbon Black reported the backdoor was deployed against a major U.S. services firm. The use of Teams relays allows the malware to blend traffic with legitimate Office 365 communications, making detection more difficult. Microsoft has not issued a statement on the Teams relay abuse. Security teams are advised to audit Teams network flows and monitor for unusual outbound connections to relay endpoints.