USB-Based “Crypto Clipper” Malware Targets Windows Users and Steals Wallet Data, Microsoft Warns

TL;DR

• Microsoft has warned about a USB-spreading “crypto clipper” malware targeting Windows users since February. 

• The malware installs via malicious .lnk shortcut files, steals crypto wallet seed phrases and private keys through clipboard monitoring, and can replace copied wallet addresses with attacker-controlled ones. 

Microsoft has identified a new malware campaign spreading through infected USB drives that specifically targets cryptocurrency users on Windows systems, according to a recent security blog post. 

The malware, detected by Microsoft Defender Antivirus as Trojan:Win32/CryptoBandits, has been actively infecting personal computers since February.

Infection Begins Through Malicious USB Shortcut Files

The attack starts with a compromised USB drive containing a malicious Windows shortcut file (.lnk). 

These shortcut files are designed to automatically point the system to hidden malware components when opened.

Once a user plugs in the infected USB drive and clicks the shortcut, a worm-like payload is executed on the system. This malware not only installs itself but also enables persistence and prepares the machine for further propagation.

After installation, the malware runs continuously in the background, focusing on stealing cryptocurrency-related data.

One of its primary techniques is clipboard monitoring. The malware checks the Windows clipboard approximately every 500 milliseconds, looking for sensitive information such as:

• Crypto wallet seed phrases

• Private keys for Bitcoin or Ethereum wallets

Once detected, this data is transmitted to attackers through the Tor network, an anonymized communication system that helps conceal command-and-control activity. The malware also captures multiple screenshots of the infected system at timed intervals.

Transaction Hijacking Through Address Replacement

In addition to data theft, the malware performs transaction manipulation. If a user copies a crypto wallet address to send funds, the malware silently replaces it with an attacker-controlled address. 

This means funds can be redirected without any visible indication to the user, making it particularly dangerous for active traders and wallet users.

The malware also spreads using a worm-like mechanism.

When a clean USB drive is connected to an infected system, the malware:

• Scans files such as Word documents, Excel sheets, and PDFs

• Replaces them with malicious shortcut files using the same filenames

• Infects the new drive, continuing the cycle when plugged into another PC

This allows the malware to spread rapidly across offline environments where USB drives are commonly shared.

Microsoft Security Recommendations

Microsoft advises users and organizations to take several precautions to reduce risk, including:

• Disabling AutoRun for removable media

• Blocking execution of .lnk files from USB drives using Group Policy

• Restricting script hosts such as wscript.exe and cscript.exe

• Monitoring for suspicious Tor network activity, including connections on port 9050

Microsoft Defender customers are also encouraged to run threat-hunting queries using published indicators of compromise, including file hashes and known .onion command-and-control domains.

The campaign highlights a rising trend of malware designed specifically to target cryptocurrency holders by exploiting weak points such as clipboard usage and offline file transfers.

Security researchers warn that the combination of USB-based propagation and real-time clipboard hijacking makes this malware particularly difficult to detect without proactive security controls.