A newly identified cryptocurrency clipper malware has been actively stealing digital assets since February 2026, utilizing weaponized Windows shortcut files on USB drives to propagate. This sophisticated malware exhibits worm-like behavior, employs Tor-based communication, and executes remote commands, marking it as a significant financial threat.
The infection process initiates when an individual inserts an infected USB drive and opens what appears to be a legitimate document. Unbeknownst to the user, this file is a malicious shortcut (.lnk) that discreetly activates harmful payloads in the background. The malware conceals the original files, replaces them with deceptive shortcuts, and awaits further spread to other systems.
Microsoft Threat Intelligence and Microsoft Defender Experts have been monitoring this campaign, noting its active targeting of users over several months. The malware performs frequent clipboard monitoring, captures screenshots, and substitutes wallet addresses, all while routing its traffic through the Tor network to maintain anonymity.
Notably, the malware lacks a standard installer and exposes no direct IP addresses, with core payloads encrypted and only decrypted during execution. This design indicates a deliberate effort by the attackers to evade detection.
The financial impact is immediate and severe. By covertly replacing copied cryptocurrency wallet addresses with those controlled by the attackers, the malware can redirect entire transactions without the victim’s awareness until the funds are irretrievably lost.
Mechanism of Infection
The malware’s propagation method is deceptively straightforward. Upon connecting an infected USB drive to a system, the worm scans for common file types such as .doc, .xlsx, and .pdf. It hides the original files and creates shortcut versions with identical names, setting a trap for unsuspecting users who access the drive subsequently.
When a victim clicks one of these shortcuts, the worm deposits two malicious JavaScript files into a subfolder within “C:\Users\Public\Documents,” using a five-character naming convention for both the folder and file names. It also establishes two scheduled tasks to ensure the stealer remains active and the worm continues to spread to any new USB devices connected to the system.
The installation process is layered with multiple obfuscation techniques. The initial payload is a Python script protected with PyArmor and packaged into a standalone executable, while the JavaScript files are doubly obfuscated. Additionally, the malware terminates itself if Task Manager is detected, complicating manual inspection efforts.
Command and Control via Tor
Central to this malware’s operation is a portable Tor client renamed “ugate.exe,” which runs in a hidden window. Once Tor is active, the malware establishes a command and control (C2) channel through the Tor network, enabling the attackers to issue remote commands and exfiltrate data without revealing their location or identity.
This campaign underscores the evolving tactics of cybercriminals who exploit seemingly innocuous vectors, such as USB drives and shortcut files, to deliver sophisticated malware. Users should exercise caution when handling external storage devices and be wary of unexpected shortcut files, even from trusted sources.
As cyber threats continue to advance, it is imperative for individuals and organizations to implement robust security measures, including regular software updates, comprehensive endpoint protection, and user education on recognizing potential threats. Vigilance and proactive defense strategies are essential in mitigating the risks posed by such sophisticated malware campaigns.
