Crypto-clipper malware spreads via USB, targets wallet keys

Microsoft has flagged a piece of malware that steals crypto wallets by monitoring the clipboard and spreads via USB drives. The company calls it a crypto clipper and tracks it as Trojan:Win32/CryptoBandits.

The infection starts when a user plugs in an infected USB stick and clicks a malicious .lnk shortcut file. That installs a worm on the machine. The worm does two things. It runs the wallet-stealing code constantly. It also waits for a clean USB to be inserted and then copies itself onto that drive, renaming ordinary documents as new shortcut files so the cycle continues.

Once inside the system, the malware checks the Windows clipboard every 500 milliseconds. When a user copies a crypto wallet seed phrase, a private key, or a recipient address, it intercepts the data. If the user is sending funds, the malware silently swaps the paste destination with an attacker-controlled address. The victim sees no visible cue. The stolen data is sent back to the attacker over the Tor network, along with five screenshots taken ten seconds apart.

Microsoft recommends disabling AutoRun for removable media, blocking .lnk execution on USB drives through group policy, and restricting script hosts like wscript.exe and cscript.exe. For Microsoft Defender customers, the company provides hunting queries that flag connections to a local Tor proxy on port 9050.

The firm also published a full set of indicators of compromise, including file hashes and .onion domain addresses, so security teams can scan their networks for the same malware.