Microsoft has identified a new strain of malware targeting the cryptocurrency wallets of Windows users, spreading through USB drives since February. The company refers to this threat as a “crypto clipper” and tracks it under the name Trojan:Win32/CryptoBandits in Microsoft Defender Antivirus.
How does the malware operate?
The attack begins with a malicious shortcut file (.lnk extension) placed on an infected USB drive. Although these files are typically used to open programs or folders in Windows, clicking on the compromised shortcut installs a worm-like malware onto the device.
After installation, the malware simultaneously carries out two key tasks. First, it perpetually runs its primary code to gather information from crypto wallets. Second, it continuously waits for a clean USB device to be connected to the same computer, enabling the infection to propagate across multiple portable devices and systems.
According to Microsoft, the malware regularly monitors clipboard data, collecting information such as seed phrases, private keys, and recipient addresses. This data is then sent to attackers via the Tor network. Additionally, when a user copies a wallet address for a transaction, the malware can covertly replace it with an address controlled by the attacker, making unauthorized transfers possible.
What data is targeted?
Microsoft notes that the malware scans the Windows clipboard roughly every 500 milliseconds. If a user copies a seed phrase or private key from a wallet such as Bitcoin or Ethereum, the software captures these sensitive details. The malware also takes up to five screenshots at ten-second intervals and transmits them externally.
One of the most critical risks is the silent replacement of transfer addresses. When users copy a recipient address to send funds, the malware can swap it out for an attacker’s address just before it is pasted—without any visible warning—potentially diverting cryptocurrency to unauthorized hands.
Mini glossary: The Tor network is an open-source platform that enhances privacy by routing internet traffic through various servers. It is often used in cyberattacks to conceal command-and-control communication.
USB-based propagation method
The method of spreading via USB stands out as another notable feature. When a clean USB drive is connected to a compromised computer, the malware scans it for files like Word, Excel, and PDF documents. It then replaces these with similarly named shortcut files, thereby infecting the USB drive as well.
This tactic can mislead users into thinking their files are unchanged, allowing the infection cycle to continue as the compromised USB drive is connected to other devices, facilitating broader spread.
Microsoft’s security recommendations
Microsoft recommends disabling the AutoRun feature for removable media, blocking the execution of .lnk files on USB drives via group policies, and restricting script hosts such as wscript.exe and cscript.exe. The company also urges IT teams to scan their networks for indicators of compromise that have been published.
Indicators include file hashes and .onion domain addresses reportedly linked to command-and-control servers. Customers with Microsoft Defender are further advised to check for suspicious connections to the local Tor proxy on port 9050 and review related activities within their systems.
