Microsoft spots "Crypto Clipper" worm that swaps your seed phrase for a USB stick full of bad news 🦠

Microsoft Threat Intelligence is warning Windows users about a cryptocurrency "clipper" malware strain spread through USB drives that has been active since at least February 2026, combines clipboard hijacking with persistent remote access, and targets Bitcoin, Ethereum, Tron and Monero users. The malware continuously monitors the clipboard for high-value financial artifacts, including 12-word and 24-word BIP39 mnemonic seed phrases, Bitcoin wallet credentials and Ethereum private keys, and swaps copied wallet addresses with attacker-controlled alternatives across Bitcoin, Tron and Monero. It also captures screenshots every ten seconds to give operators additional context on balances and transactions.

The campaign spreads through malicious Windows shortcut (.lnk) files distributed via USB storage devices, hiding legitimate documents and replacing them with lookalike shortcuts so victims unknowingly execute malware when opening what appears to be a normal file. A worm component then propagates automatically to other USB storage devices attached to the infected machine. Microsoft Defender Antivirus detects the strain as Trojan:Win32/CryptoBandits.A.

Once installed, the malware deploys two obfuscated JavaScript payloads in the Windows Documents directory, creates scheduled tasks for both the worm and stealer components, and silently installs a portable copy of Tor renamed to ugate.exe to disguise it. Communications with the operators are routed through the Tor network to hidden "onion" addresses, allowing attackers to push and execute arbitrary code on compromised machines. "This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking," Microsoft said. "The combination of Tor-routed C2, clipboard targeting, screenshot capture and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices," the researchers added.

Microsoft noted that the malware does not rely on a traditional installer or exposed IP-based infrastructure, and recommended that users disable autoplay on removable media, block .lnk execution from USB drives, and monitor for proxy activity and spawned scripts.