Microsoft Warns of Crypto Clipper Malware Spreading Through USB Drives

Microsoft's cybersecurity researchers have flagged a cryptocurrency-theft campaign they call CryptoBandits. The malware swaps copied wallet addresses for attacker-controlled ones. It spreads through infected USB drives and routes its traffic through the Tor network.

The payload arrives when a user plugs a compromised USB into a Windows machine. The malware hides common document files – .doc, .pdf, .xlsx – and creates shortcut files (.lnk) with the same names. A double-click on the shortcut silently launches the infection. Microsoft's researchers said the malware then installs a portable Tor client to route all its internet traffic through a hidden proxy.

Every half-second, the malware checks the clipboard for what looks like a crypto seed phrase or a wallet address. If it finds one, it replaces the copied string with a similar one belonging to the attackers. The victim pastes the address and sends funds to the thief without realizing it.

What makes the campaign harder to stop is its reliance on built-in Windows scripting tools. It does not drop large installer files that antivirus engines scan for known signatures. The malicious code runs inside legitimate Windows processes, Microsoft's researchers said. Traditional file-scanning alone is not enough to catch it.

The researchers did not estimate how many machines have been infected or how much crypto has been stolen. They warned that the campaign is active and the malware is evolving. Microsoft advised PC users to be cautious with USB drives from unknown sources, to double-check any copied wallet address before pasting, and to keep Microsoft Defender up to date.