Breaking
TRKKTC Vatandaşı Aya Napa'da Saldırıya UğradıARموسم الحرائق يبدأ مبكراً في جنوب أوروبا.. وفرنسا تنتخب أميناً عاماً جديداً للحزب الشيوعيCN台风“美莎克”减弱后仍致强降雨 华北东北多强对流天气 新疆陕西等地高温持久ARإيران: تعليمات إعلامية موحدة لتشييع خامنئي لضبط الرواية العامةARحارس مرمى النرويج: التصدي لركلة جزاء أمام البرازيل كان نقطة التحولARالنرويج تحتفل بالتأهل التاريخي لربع نهائي كأس العالم على حساب البرازيلKR키움투자자산운용, '미국우주테크TOP2채권혼합50 ETF' 상장RUЕвропейцы теряют интерес к росту военных расходов НАТО на фоне экономических проблемARحماس تعلن حل لجنتها الحكومية.. وماكرون يزور سوريا وسط ترقبINTLWildfires Rage Across Europe: Portugal, Greece, and Spain Battle Major BlazesTRKKTC Vatandaşı Aya Napa'da Saldırıya UğradıARموسم الحرائق يبدأ مبكراً في جنوب أوروبا.. وفرنسا تنتخب أميناً عاماً جديداً للحزب الشيوعيCN台风“美莎克”减弱后仍致强降雨 华北东北多强对流天气 新疆陕西等地高温持久ARإيران: تعليمات إعلامية موحدة لتشييع خامنئي لضبط الرواية العامةARحارس مرمى النرويج: التصدي لركلة جزاء أمام البرازيل كان نقطة التحولARالنرويج تحتفل بالتأهل التاريخي لربع نهائي كأس العالم على حساب البرازيلKR키움투자자산운용, '미국우주테크TOP2채권혼합50 ETF' 상장RUЕвропейцы теряют интерес к росту военных расходов НАТО на фоне экономических проблемARحماس تعلن حل لجنتها الحكومية.. وماكرون يزور سوريا وسط ترقبINTLWildfires Rage Across Europe: Portugal, Greece, and Spain Battle Major Blazes
Newsgather
BackMicrosoft Warns of USB-Transmitted Crypto Clipper Malware
Microsoft Warns of USB-Transmitted Crypto Clipper Malware
Urgent
Cointelegraph6/19/2026Tech2 min read

Microsoft Warns of USB-Transmitted Crypto Clipper Malware

Quick Look

  • Microsoft is alerting Windows users to a new cryptocurrency clipper malware spread via USB drives.
  • It steals clipboard data, replaces wallet addresses, and uses the Tor network for communication, posing a significant threat to digital assets.

AI-generated summary

Why It Matters

Microsoft Threat Intelligence is warning Windows users about a cryptocurrency clipper strain of malware transmitted via USB drives, affecting users since February.

Font size

Microsoft Threat Intelligence is warning Windows users about a cryptocurrency clipper strain of malware transmitted via USB drives.

The malware, which has been affecting users since February, steals clipboard data to extract wallet credentials using “high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution,” Microsoft said Wednesday.

The crypto clipper also hides legitimate files and replaces them with lookalike shortcuts, so victims unknowingly execute malware while a worm component propagates automatically to USB storage devices.

This malware is insidious because it's more than just an info stealer, it functions as a backdoor, meaning that attackers can push and execute arbitrary code on infected machines at any time, turning a simple crypto theft into a persistent foothold for ransomware.

The execution of this clipper is also notable because it does not depend on a traditional installer or exposed IP-based infrastructure, the Microsoft researchers said.

“This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking.”

Tor network used for obfuscation

The malware deploys two obfuscated JavaScript payloads in the Windows Documents directory and creates scheduled tasks for both the worm and stealer components.

The malware also secretly installs a copy of Tor on the victim’s computer but renames it ugate.exe to disguise it as something innocent. It then uses the anonymizing Tor network to connect to its malicious operators at hidden “onion” addresses.

Related: ‘TrapDoor’ malware targets crypto dev tools in supply chain attack

“The combination of Tor-routed C2, clipboard targeting, screenshot capture and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices,” Microsoft said.

Crypto clipper execution flow. Source: Microsoft

Private keys and seed phrases targeted

The crypto clipper focuses on “high-value financial artifacts” from the clipboard, including BIP39 mnemonic seed phrases and Bitcoin and Ethereum private keys.

It also replaces copied wallet addresses with attacker-controlled ones across Bitcoin, Tron and Monero and takes screenshots every ten seconds for additional context.

Microsoft Defender Antivirus detects the malware as Trojan:Win32/CryptoBandits.A.

Microsoft recommended disabling autoplay on removable media, blocking .lnk execution from USB drives, and monitoring for proxy activity and spawned scripts.

2026 has seen a significant escalation in Windows-based crypto stealers. A new Windows malware strain called Lucid Stealer that targets browser extensions and crypto wallets was identified earlier this month by the Foresiet Threat Intel Team.

What to Watch

AI outlook — possibilities, not facts

  • Increased prevalence of USB-based crypto stealers on Windows.

    Likely · Within months

Open Questions

  • How widespread is the infection?
  • What is the success rate of wallet address substitution?
  • What specific arbitrary code can attackers execute?

Related Topics

This article was originally published by Cointelegraph.

Related Stories

More on this topicmalware