Microsoft discovers USB worm that hijacks clipboard, steals cryptocurrency via Tor

Microsoft Threat Intelligence has identified a new self-propagating USB worm that monitors Windows clipboards for cryptocurrency wallet addresses and seed phrases, replacing them with attacker-controlled values and exfiltrating data through a portable Tor client. The campaign has been active since at least February 2026, according to analysis published by Microsoft this week.

The malware, tracked as Trojan:Win32/CryptoBandits.A, scans clipboard content approximately every 500 milliseconds for patterns matching Bitcoin, Tron, and Monero addresses, among others. It also captures BIP39 seed phrases, Ethereum private keys, and Bitcoin WIF keys. A successful seed phrase theft gives attackers complete control of the victim’s wallet, not just a redirected transaction.

USB propagation and layered evasion

The worm spreads through infected USB drives by hiding original documents with .doc, .xlsx, and .pdf extensions and replacing them with Windows shortcut (.lnk) files bearing the same names. When a user opens what appears to be a normal file, the .lnk executes the malware. The worm automatically copies itself to any new USB drive connected to the infected machine.

• The initial installer is a Python executable obfuscated with PyArmor and packaged with PyInstaller.
• JavaScript payloads dropped to C:\Users\Public\Documents use a separate dual-layer obfuscation scheme.
• The malware checks whether Task Manager is running and exits if detected, a basic anti-analysis measure.
• Command-and-control traffic routes through a renamed Tor client (ugate.exe) using a SOCKS5 proxy on localhost port 9050.
• C2 endpoints include /route.php for check-ins, /recvf.php for uploading stolen files, and /stub.php for additional payloads.

Beyond clipboard theft: surveillance and remote access

The malware includes a surveillance module that captures five screenshots over a ten-second interval, giving operators a visual record of the victim’s activity. An EVAL command allows the C2 server to push and execute arbitrary code, effectively turning the cryptocurrency stealer into a general-purpose remote access tool that can adapt without reinfecting the target. Microsoft recommends disabling AutoRun and AutoPlay on Windows systems, blocking .lnk file execution from removable media via Group Policy, and restricting wscript.exe and cscript.exe through application control policies. The use of Tor for C2 communications makes traditional takedown approaches less effective because .onion addresses are not tied to registrars or hosting providers that can be compelled to act. Users should treat USB drives from unknown sources as potential vectors and ensure clipboard contents are verified before pasting cryptocurrency addresses.