USB-Based 'Crypto Clipper' Malware Targets Windows Systems, Microsoft Issues Alert
A sophisticated cryptocurrency clipper spreading through USB devices is compromising digital wallets and sensitive keys while concealing its command infrastructure using the Tor network.
Windows users are being alerted by Microsoft Threat Intelligence regarding a dangerous cryptocurrency clipper malware variant that propagates through USB storage devices.
Active since February, the malicious software captures clipboard content to steal wallet credentials through techniques including "high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution," according to Microsoft's Wednesday announcement.
The cryptocurrency clipper operates by concealing genuine files and substituting them with deceptive shortcuts that appear identical, causing victims to unwittingly launch the malware while its worm functionality spreads automatically across connected USB storage media.
The particularly dangerous nature of this malware extends beyond simple information theft, as it operates as a backdoor mechanism, enabling threat actors to deploy and run arbitrary code on compromised systems whenever they choose, transforming what begins as cryptocurrency theft into a long-term presence that could facilitate ransomware attacks.
What makes this clipper's deployment particularly noteworthy is its independence from conventional installation methods or visible IP-based infrastructure, according to the Microsoft research team.
"This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking."
Tor network used for obfuscation
The malicious software installs two disguised JavaScript payloads within the Windows Documents folder and establishes scheduled tasks to maintain both its worm and stealer functionalities.
Additionally, the malware covertly deploys a Tor instance on the infected machine while renaming the executable to ugate.exe in an attempt to appear legitimate. The malware then leverages the anonymizing capabilities of the Tor network to establish connections with its command servers at concealed "onion" addresses.
"The combination of Tor-routed C2, clipboard targeting, screenshot capture and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices," Microsoft said.
Private keys and seed phrases targeted
The cryptocurrency clipper specifically hunts for "high-value financial artifacts" within clipboard data, such as BIP39 mnemonic seed phrases along with Bitcoin and Ethereum private keys.
Additionally, the malware swaps any copied cryptocurrency wallet addresses with addresses controlled by the attackers, covering Bitcoin, Tron and Monero, while capturing screenshots at ten-second intervals to gather additional contextual information.
Microsoft Defender Antivirus identifies this malicious software as Trojan:Win32/CryptoBandits.A.
Among Microsoft's recommendations are disabling autoplay functionality for removable storage devices, preventing .lnk file execution from USB drives, and actively monitoring for proxy-related activity and spawned script processes.
2026 has seen a significant escalation in Windows-based crypto stealers. A new Windows malware strain called Lucid Stealer that targets browser extensions and crypto wallets was identified earlier this month by the Foresiet Threat Intel Team.