Microsoft’s Crypto Clipper Exposes Hidden Dangers of USB Drives and Tor in Cryptocurrency Theft

Microsoft uncovered a sophisticated crypto clipper malware spreading via infected USB drives since February 2026. The threat hijacks clipboard addresses for Bitcoin, Tron and Monero, steals seed phrases and private keys, and routes data through portable Tor while enabling remote code execution. Defenders must prioritize behavioral detection and USB controls to limit damage.
Microsoft’s Crypto Clipper Exposes Hidden Dangers of USB Drives and Tor in Cryptocurrency Theft
Written by Victoria Mossi

Security teams at Microsoft spotted something unusual earlier this year. A piece of malware had been quietly operating since February 2026. It spread through ordinary USB drives. It stole cryptocurrency wallet details. And it hid its tracks using the Tor network.

The discovery came from the company’s Threat Intelligence group and Defender Experts. They tracked the threat, labeled Trojan:Win32/CryptoBandits.A. Details appeared in a technical report published June 17. Microsoft Security Blog laid out the full chain.

Attackers relied on a simple but effective trick. They loaded malicious .lnk shortcut files onto removable drives. Victims saw what looked like their familiar documents. Word files. Spreadsheets. PDFs. The originals sat hidden. The shortcuts carried the malware.

Click one. The worm component activated. It scanned the drive for common document types. It concealed the real files. Then it generated new shortcuts with identical names. Each pointed back to the payload. The process repeated on any fresh USB stick plugged into an infected machine. Self-propagation without much user effort. Classic worm behavior updated for today’s targets.

Once inside, the malware dropped two main pieces. One kept the spread alive. The other focused on theft. The stealer part turned to the clipboard. It checked contents every 500 milliseconds. Patterns matching cryptocurrency addresses triggered replacement. The copied string swapped for one controlled by the attackers. Funds sent to the wrong place. Victims rarely noticed until too late.

Six cryptocurrencies fell in its sights. Bitcoin addresses in legacy format starting with 1. Pay-to-Script-Hash versions beginning with 3. Bech32 and Taproot strings prefixed bc1q or bc1p. Tron addresses opening with T. Monero strings starting with 4 or 8. The malware matched length and characters. It substituted cleverly. First two characters for some. Last character for others. Monero got a single fixed address.

But address swapping represented only part of the threat. The code hunted for more. BIP39 seed phrases. Those memorable 12- or 24-word sequences that unlock entire wallets. Ethereum private keys. Bitcoin Wallet Import Format strings. Capture any of those and control passed completely to the operators. One paste. Total loss.

Surveillance ran in parallel. The malware grabbed five screenshots across a 10-second window. It bundled them. Sent them back. Operators could see exactly what sat on the victim’s screen. Open wallets. Browser tabs. Balances. Context for further attacks.

Communication stayed hidden. The malware unpacked a portable Tor client. Renamed ugate.exe. It fired up a local SOCKS5 proxy on port 9050. All traffic routed through .onion hidden services. Three paths handled the load. One for check-ins. One for file uploads. One for fresh payloads. No obvious domains. No easy IP blocks. Firewalls saw little.

Command and control went further. A special response labeled EVAL arrived from the server. It carried arbitrary JScript. The malware executed it on the spot. What began as a financial stealer evolved into a lightweight backdoor. Persistence through scheduled tasks. Folders excluded from antivirus scans. The threat adapted after infection.

Evasion tactics layered on top. The initial dropper came as a Python executable wrapped in PyArmor and PyInstaller. Hard to reverse. JavaScript payloads used dual obfuscation. One check proved especially simple yet effective. The code queried for Task Manager. If running, it exited. Casual investigators hit a wall.

Microsoft published indicators to help defenders. Specific SHA-256 hashes. MITRE ATT&CK mappings covering execution, persistence, defense evasion, collection and command and control. KQL queries for hunting in Sentinel or Defender. The company stressed behavioral signals over static files.

“The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 server,” the Microsoft Defender Security Research Team wrote. “It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution.”

They added another observation. “The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure. Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor.”

Reports quickly followed the disclosure. The Hacker News highlighted the worm-like spread and Tor choice. Ars Technica called it a self-propagating threat aimed squarely at crypto credentials. Coverage on Crypto.news and AMBCrypto echoed the warnings about seed phrases and address hijacking. No single actor claimed credit. Infection numbers stayed undisclosed.

Yet the implications stretched beyond one campaign. USB malware had faded from headlines as cloud sharing grew dominant. This case showed physical media still carried risk. Especially in environments where staff plugged in drives from conferences, vendors or home machines. Trust in the familiar proved costly.

Defenders face a clear list of steps. Disable AutoRun and AutoPlay for removable media. Block .lnk files from executing on USB drives through Group Policy. Restrict wscript.exe and cscript.exe. Monitor connections to localhost port 9050. Watch for scripts spawning curl, PowerShell or unexpected children. Review clipboard activity and screen captures.

Application control policies help limit script abuse. Behavioral rules in endpoint tools catch the chains. Microsoft Defender already detects the family. Still, organizations running older systems or relaxed USB policies sit exposed.

The campaign reveals how threat actors mix old and new. USB worms date back decades. Clipboard hijacking appeared in early crypto malware. Tor for command and control adds anonymity that challenges disruption. Remote code execution turns theft into ongoing access. Together they create a persistent, hard-to-trace danger for anyone handling digital assets.

Users hold some responsibility too. Paste an address? Verify every character on screen before sending. Never trust a copied string alone. Avoid unknown drives. Double-check sources. Simple habits still matter when technology fails to catch every variant.

Security teams should hunt proactively. Look for scheduled tasks tied to public user folders. Scan for ugate.exe or similar renamed binaries. Query for SOCKS5 proxy usage on unexpected ports. Connect script execution with network beacons and clipboard hooks. Those signals surface the threat before losses mount.

And the timing feels pointed. Cryptocurrency adoption continues to expand. More individuals and firms move funds through wallets daily. Seed phrases and private keys represent high-value targets. Attackers follow the money. This malware shows they follow it to the clipboard, the USB port and the anonymized web.

Microsoft’s analysis offers a blueprint. Detailed enough for hunters. Practical enough for policy changes. It improves on earlier coverage by mapping exact address replacement logic, screenshot cadence, EVAL command handling and full MITRE coverage. Later reports from The Hacker News and others built on that foundation but added little new technical depth.

One fact stands out. The threat remains active. February start date suggests months of undetected operation before discovery. How many wallets emptied in silence? Unknown. But the mechanisms now sit in public view. Defenders have the tools. The question becomes whether they act before the next variant appears.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us