USB Worm Spreads Crypto-Stealing Clipper via Windows Shortcuts

Microsoft has disclosed a Windows-based cryptocurrency clipper campaign that has been targeting users since February 2026. The malware spreads through USB drives using malicious shortcut (LNK) files, monitors clipboards for wallet addresses, and routes stolen data through Tor hidden services.

The threat combines worm-like propagation with sophisticated clipboard hijacking, transforming what would otherwise be a simple stealer into a persistent backdoor.

How the Worm Spreads

The infection begins when users plug in a compromised USB drive and click a malicious LNK file. According to Microsoft's Security Blog, the shortcut triggers Windows Script Host and ActiveX-driven logic that checks whether the system is already infected.

If not, the worm fetches its payload from remote servers. It then scans the USB drive for common document types—DOC, XLSX, PDF—hides the legitimate files, and creates deceptive LNK replacements pointing back to itself. Users who share USB drives unknowingly spread the infection to every system they connect.

The technique mirrors other supply chain attacks we've covered, except the supply chain here is physical: USB drives passed between colleagues, plugged into air-gapped systems, or left in conference rooms.

Clipboard Operations

The malware polls the clipboard approximately every 500 milliseconds, watching for:

• Cryptocurrency wallet addresses (Bitcoin, Ethereum, and others)
• Seed phrases and recovery words
• Private keys

When it detects a wallet address, it substitutes an attacker-controlled address. Victims copying their own wallet to receive funds instead paste the attacker's wallet. Transactions land in the wrong place, and blockchain transactions are irreversible.

The clipper also captures screenshots periodically, exfiltrating them over Tor. This catches users who display seed phrases on screen or photograph paper wallets.

Tor-Based Command Infrastructure

Unlike simpler stealers that beacon to fixed domains, this malware deploys a portable Tor client and routes traffic through a local SOCKS5 proxy. The C2 server runs as a hidden service, making it resistant to takedowns and difficult to track.

The infrastructure supports remote code execution through EVAL responses. Attackers can push new functionality to infected machines without deploying new binaries—useful for adding support for new cryptocurrency wallets or updating address-matching patterns.

Scheduled tasks ensure persistence across reboots. The malware also exits when Task Manager opens, evading casual observation by users checking what's running.

Detection and Mitigation

Microsoft recommends behavioral detection over static signatures, specifically monitoring for:

• PowerShell-based screen capture activities
• WScript/CScript launching unexpected executables
• Unusual clipboard access patterns from non-browser processes

Defensive measures include:

1. Disable AutoRun/AutoPlay for removable media via Group Policy
2. Block LNK execution from USB drives
3. Restrict wscript.exe and cscript.exe to approved scripts
4. Audit clipboard behaviors on systems handling cryptocurrency

Why This Matters

Cryptocurrency theft through clipboard hijacking isn't new, but the combination with worm propagation extends the threat beyond typical download-and-execute malware. Organizations with cryptocurrency holdings—exchanges, DeFi projects, trading firms—face risk from any employee USB drive.

The Tor-based C2 also complicates incident response. Traditional IP blocking and domain takedowns don't work against hidden services, giving attackers sustained access even after initial detection.

For individual users, the lesson is older than cryptocurrency itself: don't trust USB drives you didn't personally provision, and always verify wallet addresses character by character before confirming transactions.