Microsoft has recently detailed a sophisticated malware campaign that has been active since February 2026, targeting Windows users through USB devices to steal cryptocurrency. This campaign employs a type of malware known as a ‘clipper,’ which monitors and manipulates clipboard data to intercept and redirect cryptocurrency transactions.
The attack begins when a user connects an infected USB storage device to their computer. The device contains a malicious Windows Shortcut (LNK) file that, when opened, initiates a worm component. This worm checks if the system is already compromised; if not, it downloads additional payloads from a remote server. One of these payloads is the clipper malware, designed to harvest and exfiltrate cryptocurrency wallet information.
Once executed, the worm scans the USB device for common document types such as DOC, XLSX, and PDF files. It hides these legitimate files and replaces them with LNK files bearing the same names. These shortcuts are configured to execute the worm component when opened, thereby propagating the malware further. This method exploits users’ trust, as they believe they are accessing their documents while unknowingly activating the malware.
To maintain persistence on the infected system, the worm component sets up scheduled tasks for both itself and the clipper malware. The clipper utilizes Windows Script Host (WScript) and ActiveXObject to interact with the operating system. Notably, it checks for the presence of Task Manager among running processes and terminates itself if detected, a tactic aimed at evading user scrutiny.
In its final stage, the malware launches a renamed Tor binary in a hidden window, establishing a connection to a command-and-control (C2) server via the Tor network. It generates a unique identifier for the victim’s machine and registers it with the C2 server. The malware then enters a continuous loop, polling the C2 server for instructions and monitoring the clipboard approximately every 500 milliseconds. This allows it to extract sensitive information such as seed phrases and private keys. Additionally, it hijacks cryptocurrency addresses by replacing copied wallet values with those controlled by the attacker and uploads screenshots through the Tor network. If the C2 server responds with an ‘EVAL’ command, the malware executes the supplied code at runtime, granting attackers remote control over the infected system.
To mitigate the risks associated with this malware, Microsoft recommends several defensive measures. These include disabling AutoRun and AutoPlay for all removable media, blocking the execution of LNK files from removable drives via Group Policy Objects (GPOs), and restricting the use of scripting engines like WScript and CScript. Additionally, organizations should prioritize behavioral detections over static signatures, focusing on activities such as PowerShell-based screen captures and the use of script engines to launch unexpected executables. Reviewing clipboard-related and screen-capture behaviors on devices handling sensitive financial workflows is also advised.
This campaign underscores the evolving tactics of cybercriminals who exploit removable media to distribute malware, bypassing traditional network-based defenses. The use of the Tor network for C2 communications adds a layer of anonymity, complicating detection and mitigation efforts. As attackers continue to refine their methods, it is imperative for individuals and organizations to implement robust security practices, including regular monitoring of system behaviors and educating users about the risks associated with unknown USB devices and suspicious files.
