Microsoft has uncovered a sophisticated cryptocurrency stealer malware that primarily spreads through infected USB drives and relies on the Tor network for command and control communications. Security researchers at the company detailed the threat in a recent analysis, highlighting how the malware combines old-school propagation methods with modern evasion techniques to target digital asset holders.
The discovery, reported by Slashdot, centers on a strain that Microsoft tracks internally as STONEDRIVE. This particular family stands out because it revives the classic USB worm propagation model last seen prominently with threats like Conficker over a decade ago. Rather than depending solely on email attachments or drive-by downloads, the malware copies itself to any removable media inserted into an infected machine. When that drive moves to another computer, the autorun.inf file and associated executables trigger infection automatically if the target system has autorun features enabled or if users interact with the disguised folders.
Once inside a system, STONEDRIVE behaves like many information stealers by scanning for cryptocurrency wallet files, browser extension data, and stored credentials. It specifically looks for popular wallet applications including Electrum, Exodus, and MetaMask, along with files associated with hardware wallet management software. The malware also grabs browser cookies, saved passwords, and autofill data that might contain seed phrases or private keys. All harvested information gets packaged and sent back to attackers through Tor hidden services, making direct attribution and takedown efforts significantly more difficult.
Microsoft’s researchers observed that the threat employs several layers of obfuscation to avoid detection. The initial dropper uses multiple stages of encrypted payloads, with each layer decoding the next only after checking for analysis environments. Virtual machines and sandbox tools often trigger anti-analysis routines that cause the malware to remain dormant or simply delete itself. This focus on evasion explains why the campaign managed to operate for several months before drawing wider attention from security teams.
The choice of USB-based spreading suggests the attackers deliberately target environments where air-gapped systems or networks with strict internet controls exist. Corporate environments, research facilities, and even some cryptocurrency trading firms sometimes maintain isolated machines for signing transactions. By infecting USB drives, the malware can bridge these isolated networks without requiring direct internet access from the primary target machine. Once the drive returns to an internet-connected system, the collected data exfiltrates through Tor.
Tor provides multiple advantages for operators behind this campaign. The network’s onion routing hides the true location of command-and-control servers while also encrypting traffic in ways that standard security tools struggle to inspect. Microsoft noted that the malware uses hardcoded Tor addresses rather than domain names, eliminating the need for DNS resolution that might trigger alerts. Communication occurs only at predetermined intervals, further reducing the network footprint and making behavioral detection harder for endpoint protection platforms.
Analysis of the stolen data formats revealed structured JSON payloads containing wallet addresses, private keys when available, and screenshots taken from infected machines. The malware can activate the victim’s webcam and microphone under certain conditions, suggesting the operators may pursue additional intelligence beyond pure financial gain. Some samples also contained modules for keylogging and clipboard monitoring, specifically watching for cryptocurrency address strings that get replaced with attacker-controlled addresses during copy-paste operations.
This clipboard hijacking technique has grown increasingly common among cryptocurrency-focused threats. When users copy a wallet address to send funds, the malware swaps it with one belonging to the attackers. The substitution happens silently in memory, so the displayed address in applications appears legitimate until the transaction confirms on the blockchain. Combined with the wallet file theft capabilities, this dual approach maximizes potential revenue from each infected system.
Microsoft coordinated with law enforcement agencies and shared indicators of compromise through its Threat Intelligence Center. The company emphasized that organizations should disable autorun features across Windows systems and implement group policies that prevent USB drives from executing files automatically. Regular employee training about the risks of unknown USB devices remains essential, especially in sectors handling valuable digital assets.
The campaign appears linked to a financially motivated group rather than state-sponsored actors, based on the infrastructure choices and targeting patterns. Attackers focused primarily on English-speaking regions with high cryptocurrency adoption rates, including parts of North America, Western Europe, and Southeast Asia. However, the USB propagation method means any organization whose employees travel or share physical media faces elevated risk regardless of primary business focus.
Forensic examination of the malware samples showed compilation timestamps stretching back several months, indicating the operators refined their tools over time. Early versions contained more bugs and crashed frequently on newer Windows builds, but subsequent iterations improved stability and expanded the range of targeted applications. The group also updated Tor configurations periodically to maintain connectivity even after certain relays appeared on blocklists.
Endpoint detection and response solutions can identify STONEDRIVE through specific behavioral patterns. Unusual processes accessing multiple wallet-related file paths in quick succession often signal infection. Similarly, unexpected Tor client activity from non-browser processes warrants investigation. Microsoft recommended enabling Windows Defender’s tamper protection features and keeping all systems updated with the latest security patches, as the malware sometimes exploits older vulnerabilities to gain administrative privileges.
The threat highlights ongoing tensions between convenience and security in cryptocurrency management. Many users prefer keeping wallet files readily accessible rather than secured in cold storage, creating opportunities for malware. Hardware wallets provide better protection but still require software interfaces that sophisticated stealers can target. Security professionals advise treating any USB drive as potentially compromised and scanning them on dedicated, isolated analysis machines before connecting to production systems.
Beyond individual infections, the campaign raises questions about supply chain risks in the cryptocurrency sector. Developers who receive infected USB drives from conferences or partners could inadvertently spread the malware to build environments. If signing keys or seed phrases exist on those systems, the financial impact could extend far beyond the initial victim’s losses. Several blockchain projects have reportedly begun reviewing their internal USB usage policies following Microsoft’s disclosure.
Researchers continue monitoring for new variants as the operators likely adapt to increased visibility. The modular design of STONEDRIVE allows easy addition of new wallet targets or evasion methods without rebuilding the entire codebase. Future versions might incorporate ransomware capabilities or integrate with larger botnets to amplify distribution.
Organizations should consider implementing strict USB control policies that either whitelist approved devices or require cryptographic verification before allowing execution. Application whitelisting can prevent unauthorized binaries from running even if they reach the system through physical media. Network segmentation limits the potential damage by containing infections to specific subnets.
For home users, basic precautions include running reputable antivirus software with real-time USB scanning enabled. Avoiding the practice of plugging unknown drives into critical systems protects against this and many similar threats. When handling cryptocurrency, using dedicated machines without unnecessary peripherals reduces the attack surface considerably.
Microsoft’s findings demonstrate how older infection vectors maintain relevance even as attack surfaces evolve. USB remains a trusted medium for data transfer in many contexts, which attackers continue to abuse. The combination of physical media propagation with anonymous network protocols creates a particularly challenging threat profile that blends low-tech and high-tech elements.
Security teams now face the task of updating detection rules and educating users about risks they might consider outdated. The STONEDRIVE campaign serves as a reminder that threat actors study historical malware successes and adapt those techniques to current targets. Cryptocurrency users and the organizations supporting them must maintain vigilance across both digital and physical domains to protect valuable assets from compromise.
As blockchain technology sees wider adoption in traditional finance and supply chain applications, the incentive for sophisticated stealing operations only increases. The operators behind STONEDRIVE have shown patience in developing their tools and flexibility in choosing propagation methods. Their success depends partly on complacency among users who assume USB threats belong to computing history rather than present reality. Continued research and information sharing between security vendors and law enforcement will prove necessary to disrupt these campaigns before they cause widespread damage to the growing digital economy.
WebProNews is an iEntry Publication