Microsoft discovers a USB worm that expropriates cryptocurrency by hijacking the clipboard and utilizing Tor.

      **TL;DR:** Microsoft has discovered a USB worm that has been active since February, which hijacks clipboards to substitute cryptocurrency wallet addresses and channels stolen information through a portable Tor client.

      According to Microsoft Threat Intelligence, a new type of self-replicating malware has been detected that propagates via USB drives, observes the Windows clipboard for cryptocurrency wallet addresses and seed phrases, and sends all stolen data through a portable Tor client to evade detection. This operation has reportedly been active since at least February 2026, as indicated by Microsoft's recent analysis.

      The malware, identified by Microsoft as Trojan:Win32/CryptoBandits.A, functions like a classic USB worm with a contemporary payload. When an infected USB drive is connected, the user is shown what looks like their regular document files. However, actual documents are hidden and replaced by .lnk Windows shortcut files, which execute the malware in silence upon being opened.

      These .lnk files search the drive for documents with .doc, .xlsx, and .pdf extensions, conceal the originals, and create corresponding shortcut files. Furthermore, the worm writes itself to any new USB drive connected to an infected machine, which allows it to spread without requiring further user interaction aside from opening a seemingly innocent file.

      Once operational, the malware launches a portable Tor client disguised as ugate.exe and sets up a SOCKS5 proxy on localhost port 9050. This redirects all command-and-control (C2) traffic through Tor’s .onion network, significantly complicating interception or tracing by corporate firewalls and security measures. The C2 infrastructure utilizes three endpoints: /route.php for check-ins, /recvf.php for uploading stolen files, and /stub.php for downloading additional payloads.

      Clipboard monitoring serves as the primary theft method for the malware. It checks the Windows clipboard roughly every 500 milliseconds for patterns that align with cryptocurrency wallet addresses or recovery phrases. Upon finding a match, it discreetly substitutes the copied address with one owned by the attacker, causing the victim to unknowingly send funds to the wrong wallet.

      The malware targets six cryptocurrencies across various address formats. For Bitcoin, it recognizes legacy addresses beginning with “1,” Pay-to-Script-Hash addresses starting with “3,” native SegWit addresses that start with “bc1q,” and Taproot addresses that begin with “bc1p.” Additionally, it targets Tron addresses starting with “T” and Monero addresses beginning with “4” or “8.” Crypto theft via clipboard hijacking is not restricted to Windows, as Android trojans like Rokarolla utilize similar tactics to redirect crypto payments on mobile devices.

      In addition to wallet addresses, the malware examines clipboard data for BIP39 seed phrases, which are the 12- or 24-word recovery keys providing full access to a cryptocurrency wallet. It can also extract Ethereum private keys and Bitcoin Wallet Import Format (WIF) keys. Capturing a seed phrase or private key grants attackers complete control over the associated wallet, extending beyond merely redirecting a single transaction.

      The malware contains a surveillance module that captures five screenshots within a ten-second timeframe, packaging them for upload to the C2 server. This could provide the operators with a visual record of the victim's activities during the time of infection, potentially revealing more credentials, open browser tabs, or financial dashboards.

      Through a command called EVAL, C2 operators can push and execute arbitrary code on infected systems, effectively transforming the cryptocurrency stealer into a versatile remote access tool. Microsoft points out that this capability allows threat actors to modify the malware's functions after deployment without needing to reinfect the target.

      The malware employs several levels of evasion. Its initial installer is a Python-based executable obscured with PyArmor and packaged via PyInstaller, complicating static analysis. The dropped JavaScript payloads located in C:UsersPublicDocuments utilize a separate dual-layer obfuscation scheme.

      To thwart analysis, the malware checks for the presence of Task Manager and exits if it finds the process, a simple yet effective way to deter casual investigation.

      Using Tor for C2 communications signifies a larger trend in malware infrastructure leaning towards anonymization networks that resist takedown attempts. Unlike traditional malware reliant on fixed domains or IP addresses, which can be disrupted when defenders seize those assets, Tor-based C2 channels are much more challenging to deactivate since .onion addresses are not linked to any registrar or hosting provider that could be compelled to act.

      Microsoft recommends several countermeasures, starting with disabling AutoRun and AutoPlay to prevent automatic execution when USB drives are connected. Group Policy can be configured to block .lnk files from executing on removable media, and restricting wscript.exe and cscript.exe using application control policies can stop the execution of JavaScript-based payloads.

      Monitoring network connections to localhost port 9050 may help identify machines where the portable Tor client has been installed.

      Although USB-based malware had mostly faded from security discussions due to the rise of cloud storage