A Windows-based crypto clipper reportedly leans on WScript, ActiveXObject, and Tor, a combination that can blur the line between ordinary scripting and malicious automation.