Microsoft spots USB-borne crypto clipper that swaps your seed phrase for a stranger's 😬

Microsoft Threat Intelligence is warning Windows users about a cryptocurrency clipper strain of malware transmitted via USB drives that has been active since February. The malware steals clipboard data to extract wallet credentials through "high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution," the company said Wednesday. It hides legitimate files and replaces them with lookalike shortcuts, so victims unknowingly execute the malware while a worm component propagates automatically to USB storage devices.

The malware functions as a backdoor in addition to an information stealer, allowing attackers to push and execute arbitrary code on infected machines at any time and convert a single crypto theft into a persistent foothold. Microsoft researchers noted that execution does not depend on a traditional installer or exposed IP-based infrastructure. "This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking," Microsoft said.

The clipper deploys two obfuscated JavaScript payloads in the Windows Documents directory and creates scheduled tasks for both the worm and stealer components. It secretly installs a copy of Tor on the victim's computer, renamed ugate.exe, and uses the anonymizing network to connect to its operators at hidden onion addresses. "The combination of Tor-routed C2, clipboard targeting, screenshot capture and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices," Microsoft said.

The malware targets "high-value financial artifacts" from the clipboard, including BIP39 mnemonic seed phrases and $BTC and $ETH private keys. It also replaces copied wallet addresses with attacker-controlled ones across Bitcoin, Tron and Monero and captures screenshots every ten seconds. Microsoft Defender Antivirus detects the strain as Trojan:Win32/CryptoBandits.A, and Microsoft recommended disabling autoplay on removable media, blocking .lnk execution from USB drives, and monitoring for proxy activity and spawned scripts.

The disclosure follows other recent Windows-based crypto threats, including the Lucid Stealer strain identified earlier this month by the Foresiet Threat Intel Team, which targets browser extensions and crypto wallets.