Microsoft discovers a USB worm that thefts cryptocurrency by hijacking the clipboard and utilizing Tor.

      **Summary:** Microsoft has discovered a USB worm that has been operating since February, which compromises clipboards to interchange cryptocurrency wallet addresses and sends stolen information through a portable Tor client.

      According to Microsoft Threat Intelligence, a new variant of self-replicating malware has been detected that propagates via USB drives, tracks the Windows clipboard for cryptocurrency wallet addresses and seed phrases, and sends all stolen data through a portable Tor client to evade detection. This activity has been ongoing since at least February 2026, as detailed in Microsoft’s recent analysis.

      Identified by Microsoft as Trojan:Win32/CryptoBandits.A, this malware functions as a traditional USB worm enhanced with modern features. When a user connects an infected USB drive, they are presented with what appear to be familiar document files. The original files are hidden and replaced by Windows shortcut (.lnk) files of the same names, which run the malware when accessed.

      The .lnk files search the drive for documents with .doc, .xlsx, and .pdf extensions, conceal the originals, and create corresponding shortcut files in their place. The worm also propagates itself to any new USB drives connected to an already infected machine, allowing it to spread without further user action aside from opening what looks like a normal file.

      Once the malware is active on a system, it launches a portable Tor client renamed ugate.exe and establishes a SOCKS5 proxy on localhost port 9050. This sets up all command-and-control traffic through Tor’s .onion network, making it much more difficult for corporate security systems to intercept or trace the communication. The command and control (C2) infrastructure utilizes three endpoint paths: /route.php for check-ins, /recvf.php for uploading stolen data, and /stub.php for downloading additional payloads.

      The malware primarily steals information through clipboard monitoring. It checks the Windows clipboard around every 500 milliseconds for patterns resembling cryptocurrency wallet addresses or recovery phrases. Upon detecting a match, it subtly replaces the copied address with one controlled by the attacker, leading the victim to unintentionally send funds to the wrong wallet.

      The malware targets six cryptocurrencies using various address formats. For Bitcoin, it recognizes legacy addresses that start with "1," Pay-to-Script-Hash addresses that start with "3," native SegWit addresses starting with "bc1q," and Taproot addresses that begin with "bc1p." It also looks for Tron addresses that start with "T" and Monero addresses beginning with "4" or "8." This method of clipboard hijacking is not exclusive to Windows, as Android trojans like Rokarolla also utilize similar techniques to divert cryptocurrency transactions on mobile devices.

      In addition to wallet addresses, the malware inspects clipboard contents for BIP39 seed phrases, which are 12- or 24-word recovery keys that grant full access to a cryptocurrency wallet. It also captures Ethereum private keys and Bitcoin Wallet Import Format (WIF) keys. Obtaining a seed phrase or private key provides attackers with complete control over the corresponding wallet, rather than just the ability to reroute a single transaction.

      Additionally, the malware contains a surveillance module that captures five screenshots over a ten-second span, which are then packaged for upload to the C2 server. This allows attackers to gain a visual overview of the victim's activities at the time of infection, potentially exposing further credentials, open browser tabs, or financial dashboards.

      A command known as EVAL allows C2 operators to push and execute arbitrary code on contaminated machines, transforming the cryptocurrency stealer into a versatile remote access tool. Microsoft notes that this function enables threat actors to modify the malware's operations after it has been deployed without needing to reinfect the target.

      The malware employs various evasion techniques. Its initial installer is a Python-based executable that is obfuscated using PyArmor and packaged with PyInstaller, which complicates static analysis. The JavaScript payloads delivered to C:UsersPublicDocuments utilize a different two-layer obfuscation method.

      As a precaution against analysis, the malware checks for the presence of Task Manager and terminates if it detects the process, serving as a straightforward, yet effective method to hinder casual investigations.

      Utilizing Tor for command and control communications signifies a larger trend in malware infrastructure aimed at utilizing anonymization networks that resist takedown efforts. Traditional malware relying on static domains or IP addresses can be disrupted when defenders effectively seize those assets. In contrast, Tor-based C2 channels are much harder to disrupt because .onion addresses are not linked to any registrar or hosting provider that can be compelled to take action.

      Microsoft offers several mitigation strategies, starting with disabling AutoRun and AutoPlay to prevent automatic execution when USB drives are connected. Group Policy settings can be adjusted to block .lnk files from executing on removable media, and restricting wscript.exe and cscript.exe via application control policies can prevent the execution of JavaScript-based payloads.

      Monitoring network connections to localhost port 9050 can help identify machines