Skip to main content

Microsoft Warns of USB-Based “Crypto Clipper” Malware Spread



Microsoft Threat Intelligence has issued a warning to Windows users about a cryptocurrency clipper malware strain that spreads through USB drives and has been active since February. The attack is designed to harvest wallet credentials directly from users’ clipboard activity and then maintain control of infected machines through a persistent “worm-like” component.


In a security blog post published Wednesday, Microsoft described how the malware combines rapid clipboard theft with screenshot capture and wallet-address substitution—turning routine wallet copying into a monetization path for attackers. Microsoft also said the malware can propagate to removable media without relying on a traditional installer or exposed IP-based infrastructure, increasing the challenge of blocking it with conventional perimeter defenses.



Key takeaways



  • Microsoft says the crypto clipper has been affecting Windows users since February and spreads via USB devices.

  • The malware targets “high-value financial artifacts” copied to the clipboard, including BIP39 seed phrases and private keys.

  • It can replace copied wallet addresses with attacker-controlled ones across multiple blockchain ecosystems, including Bitcoin and Ethereum.

  • Microsoft reports it deploys Tor on the victim device and uses Tor-routed command-and-control to hide operator infrastructure.

  • Microsoft Defender Antivirus detects the threat as Trojan:Win32/CryptoBandits.A.



USB-based clipboard theft turns into credential exfiltration


At the core of the campaign is a tactic Microsoft described as “high-frequency clipboard theft” paired with screenshot exfiltration. According to Microsoft, once the malware runs on a Windows machine, it monitors clipboard contents to extract wallet credentials and then captures screenshots every ten seconds to provide additional context for the attackers.


More worryingly for users is what Microsoft says the malware does beyond stealing information. Microsoft characterized the clipper as including a backdoor capability, enabling attackers to execute additional code on compromised hosts at later times. That shifts the threat from “one-time theft” into a persistent foothold that can potentially support follow-on attacks, including ransomware-style intrusions.


Microsoft also said the malware can disguise its presence by hiding legitimate files and replacing them with lookalike shortcuts. That design encourages victims to run the malicious components without realizing they’ve been tricked—especially when the infection is triggered via removable media.



Persistence and propagation via scheduled tasks and “worm” behavior


Microsoft’s analysis indicates the malware deploys two obfuscated JavaScript payloads in the Windows Documents directory. It then creates scheduled tasks for both the worm and stealer components—an approach that helps ensure the malicious routines continue running even after reboot.


The “worm component” is central to the propagation strategy. Microsoft said the malware automatically pushes itself to USB storage devices, allowing infections to spread when the victim connects the drive to other systems. This is why Microsoft’s warning focuses on removable media hygiene: an environment where USB devices are shared among multiple machines becomes a multiplier for infection risk.


Microsoft also noted that the malware’s execution does not depend on a traditional installer or exposed IP-based infrastructure. In practical terms, this can reduce defenders’ ability to rely on common download/installer telemetry and may make it harder to block by tracking known malicious endpoints.



Tor on the endpoint and wallet-address substitution


Microsoft reported that the malware secretly installs a copy of Tor on the victim’s computer and renames it ugate.exe to look less suspicious. The malware then uses the anonymizing Tor network to reach hidden “onion” addresses operated by the attackers.


This Tor-routed approach matters because it makes command-and-control less dependent on a stable, easily enumerated host. Microsoft said the combination of Tor-routed C2, clipboard targeting, screenshot capture, and remote code execution gives attackers both immediate monetization paths and ongoing control of compromised devices.


On the monetization side, Microsoft said the clipper focuses on high-value financial artifacts from clipboard content, including BIP39 mnemonic seed phrases and Bitcoin and Ethereum private keys. Microsoft also described wallet-address substitution across multiple networks, replacing copied wallet addresses with attacker-controlled ones for Bitcoin, Tron, and Monero.


In addition to swapping addresses, the malware takes periodic screenshots, which can help attackers confirm what the user intended to send—even if the copied address has been altered. Microsoft also said that the malware collects this information to support the operators’ ability to act quickly once funds are ready to move.



What Microsoft recommends and how this fits a broader threat wave


Microsoft recommended several defensive measures aimed at breaking the infection chain. These include disabling autoplay on removable media, blocking .lnk execution from USB drives, and monitoring for proxy activity and spawned scripts—behaviors consistent with malware that uses scheduled tasks and anonymized communications.


Microsoft Defender Antivirus detects the threat as Trojan:Win32/CryptoBandits.A, which gives defenders a baseline for incident response and hunting on endpoints that show related artifacts.


The warning arrives amid a broader escalation in Windows-based crypto-stealing threats. Earlier this month, Foresiet Threat Intel identified a Windows malware strain called Lucid Stealer targeting browser extensions and crypto wallets. Taken together, the pattern suggests attackers are increasingly focusing on credential capture mechanisms that align with how users actually manage funds—through browser tools, wallet software, and copy/paste behavior that can be intercepted.



For users and security teams, the next step is to treat clipboard-handling threats as a high-risk category, not a niche one: watch for suspicious scheduled tasks, unexpected Tor-related processes renamed to masquerade filenames, and evidence of USB-driven propagation. With Microsoft stating the campaign has been active since February, organizations should also consider whether any infected removable media may still be in circulation and whether endpoint monitoring is catching the early stages—before clipboard theft and address substitution begin.



https://www.cryptobreaking.com/microsoft-warns-of-usb-based/?utm_source=blogger%20&utm_medium=social_auto&utm_campaign=Microsoft%20Warns%20of%20USB-Based%20“Crypto%20Clipper”%20Malware%20Spread%20
Labels:

Comments

Post a Comment

Popular posts from this blog

Coinbase's x402 launches AI agents app store for payments

Coinbase-backed x402 has unveiled Agentic.market, a dedicated marketplace aimed at increasing the usefulness of AI agents by aggregating thousands of apps and services that agents can access without any API keys. The rollout positions the platform as a central hub for agents to discover, evaluate, and deploy capabilities across a standardized payments layer. Coinbase product lead Nick Prince described Agentic.market in a video posted on X as a storefront for discovering, comparing, and using x402 services. The marketplace is designed to give both humans and their AI agents access to a wide range of tools—from data feeds to consumer apps—without the friction of managing API credentials. A storefront for discovering, comparing, and using x402 services. Thousands of services. Zero API keys. Powered by x402. Prince added that the market offers a web interface for humans to browse and assess services, alongside a programming layer that lets AI agents autonomously search, filter, and integra...
Post a Comment
Read more

Mastercard Launches AI Agent Pay System With Ripple and Solana Help

Mastercard has launched Agent Pay for Machines, a payments system built for autonomous software agents. The service allows AI agents to send and receive payments without direct human action. It brings Ripple, Coinbase, and Solana Foundation into Mastercard’s push for automated digital commerce. Ripple Brings XRPL and RLUSD to Mastercard’s Agent Pay System Mastercard introduced Agent Pay for Machines on June 10 as a tool for machine-led payments. The system targets high-volume and low-value transactions across business and consumer use cases. It also supports automated settlement between software agents and connected machines. Ripple will support the system through the XRP Ledger and its RLUSD stablecoin. The company said that settlement will become more important as automated commerce grows. It also sees blockchain rails as useful for fast and rule-based payments. RippleX senior vice president Markus Infanger said XRPL and RLUSD support enterprise-grade agent payments. He said the tool...
Post a Comment
Read more

Top Cryptocurrencies to Watch: BTC, ETH, BNB, XRP, Solana, Dogecoin & More

Market Analysis and Price Predictions for Key Cryptocurrencies Recent market dynamics reveal a cautious sentiment across the cryptocurrency landscape, with Bitcoin struggling to maintain levels above $90,000 and many major altcoins facing downward pressure. Indicators point toward reduced participation from both institutional and retail investors, raising concerns about a potential consolidation phase after notable gains earlier in the year. Bitcoin has fallen below $87,000, reflecting waning demand at higher price points. Institutional fund flows into BTC and ETH ETFs have turned negative, indicating a period of subdued market activity. Active addresses and Binance deposit/withdrawal activities are at annual lows, suggesting market indecision. Most leading altcoins are approaching support levels, with some poised for potential breakdowns. Tickers mentioned: Bitcoin, Ethereum, Binance Coin, XRP, Solana, Dogecoin, Cardano, Bitcoin Cash, Chainlink, Hyperliquid Sentiment: Neutral to Sli...
Post a Comment
Read more