Close Menu
    Home / About / Advertise / Contact
    Stocks

    USB-Based Crypto Clipper Malware Targets Bitcoin and Ethereum Wallets, Microsoft Warns

    Trader EdgeBy No Comments3 Mins Read

    Key Takeaways

    • A sophisticated malware dubbed “crypto clipper” has been spreading via compromised USB devices since February 2026, according to Microsoft
    • The threat, classified as Trojan:Win32/CryptoBandits, scans the Windows clipboard approximately every 500 milliseconds for cryptocurrency data
    • Attackers receive stolen wallet seed phrases and private keys through encrypted Tor network connections
    • The malware performs address substitution attacks, replacing legitimate wallet addresses with attacker-controlled ones during copy-paste operations
    • Protection measures include disabling AutoRun functionality for removable storage devices and implementing .lnk file execution blocks on USB media

    Security researchers at Microsoft have uncovered a dangerous malware strain that propagates through USB storage devices, specifically designed to compromise cryptocurrency wallets on Windows systems. The campaign has been ongoing since February 2026.

    Microsoft’s security team has designated this threat as a “crypto clipper,” with their Defender Antivirus platform identifying it as Trojan:Win32/CryptoBandits. The comprehensive analysis was shared in an official company blog post earlier this week.

    The infection sequence initiates when users connect a compromised USB device to their system. These infected drives harbor malicious shortcut files with “.lnk” extensions. User interaction with these shortcuts triggers the installation of a self-propagating worm.

    Following successful deployment, the worm executes parallel operations. It immediately begins harvesting cryptocurrency wallet information while simultaneously monitoring for additional uninfected USB drives to continue its propagation cycle.

    Understanding the Clipboard Hijacking Mechanism

    The malicious software continuously monitors the Windows clipboard at intervals of approximately 500 milliseconds. The clipboard serves as temporary storage for data during copy-paste operations.

    When users copy sensitive information such as cryptocurrency wallet seed phrases or private keys for Bitcoin or Ethereum wallets, the malware instantly captures this data. This stolen information is transmitted to attacker-controlled servers via the Tor anonymization network, concealing the ultimate destination.

    Additionally, the malware captures five sequential screenshots at ten-second intervals, forwarding these visual records to the threat actors.

    The threat extends beyond simple data theft. During fund transfer operations, when users copy a recipient wallet address, the worm executes a sophisticated substitution attack, replacing the legitimate address with one belonging to the attackers. Victims unknowingly paste and approve transfers to attacker-controlled wallets instead of their intended recipients.

    Propagation Methods and Defense Strategies

    When an uninfected USB drive connects to a compromised system, the worm executes its propagation routine rapidly. It identifies common file types including Word documents, Excel spreadsheets, and PDF files. The malware replaces these legitimate files with malicious shortcut files bearing identical names. This infected storage device then becomes a vector for spreading the malware to subsequent systems.

    Microsoft has issued specific guidance for mitigating this threat. Organizations and users should implement AutoRun disabling for removable storage media and establish group policy rules blocking .lnk file execution from USB devices.

    Additional protective measures include restricting access to script execution environments such as wscript.exe and cscript.exe. Organizations utilizing Microsoft Defender can deploy specialized hunting queries to detect suspicious activity, particularly connections attempting to reach local Tor proxy services operating on port 9050.

    Microsoft has released a comprehensive list of compromise indicators. This includes cryptographic file hashes and .onion domain addresses functioning as command-and-control infrastructure, enabling security professionals to audit their network environments.

    Cryptocurrency exchange Binance also raised awareness about this threat, distributing Microsoft’s security advisory to its user base. Cybersecurity firm NS3.AI has verified that users have fallen victim to this malware campaign since February 2026.

    ✨ Limited Time Offer

    Get 3 Free Stock Ebooks

    Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.

    • Top 10 AI Stocks - Leading AI companies
    • Top 10 Crypto Stocks - Blockchain leaders
    • Top 10 Tech Stocks - Tech giants
    📥 Get Your Free Ebooks
    Free Stock Ebooks
    Share.

    📈 Futures & Crypto Trader 🔍 Sharing charts, strategies, & mindset tips to help you level up 🚨 Not Financial Advice Follow on X @Pro_Trader_Edge

    KO Stocks

    Related Posts

    Add A Comment

    Comments are closed.

    No KYC. 70% Rakeback & 10% Cashback, Exclusive Thrill Originals!