Microsoft Warns of USB Worm Stealing Crypto Wallet Keys

Microsoft identified a new malware strain that spreads through USB drives and targets crypto wallet data on Windows systems. The company said the Trojan, classified as Trojan/CryptoBandits, uses malicious shortcut files with .lnk extensions to install a worm that runs continuously on infected machines.

The infection starts when a user clicks a disguised .lnk file on a USB drive. Hidden scripts then install the worm silently, Microsoft said. Once active, the malware monitors the clipboard every 500 milliseconds. It captures copied seed phrases or private keys linked to Bitcoin or Ethereum wallets, then sends the data to attacker-controlled servers via the Tor network.

Beyond data theft, the malware changes transaction behavior. When users copy a wallet address, the system replaces it with an attacker-controlled address. Funds get redirected without visible change. Microsoft said the worm also captures screenshots at 10-second intervals and sends five images along with clipboard data to remote servers, allowing attackers to track user actions.

The threat spreads by infecting clean USB drives connected to a compromised system. It scans for common office files – Word and Excel documents – and replaces them with malicious shortcut files using identical names. Users who open the replaced files trigger the malware again, propagating the infection across multiple computers.

Microsoft advised disabling AutoRun for removable media and blocking .lnk file execution from USB drives through group policy. The company also urged restricting script hosts like wscript.exe and cscript.exe. Security teams can monitor systems using Microsoft Defender and hunting queries. Microsoft released indicators of compromise including file hashes and .onion domains used by the attackers.

Microsoft's crypto-clipper malware report provides the full technical details and detection guidance.