TL;DR
Microsoft found a USB worm active since February that hijacks clipboards to swap crypto wallet addresses and routes stolen data through a portable Tor client.
Microsoft Threat Intelligence has identified a new strain of self-propagating malware that spreads through USB drives, monitors the Windows clipboard for cryptocurrency wallet addresses and seed phrases, and routes all stolen data through a portable Tor client to avoid detection. The campaign has been active since at least February 2026, according to Microsoft's analysis published this week.
The malware, which Microsoft detects as Trojan:Win32/CryptoBandits.A, works as a classic USB worm with a modern payload. When a user plugs in an infected drive, they see what appear to be their usual document files. The originals have been hidden, replaced by Windows shortcut (.lnk) files bearing the same names that silently execute the malware when opened.
The .lnk files scan the drive for documents with .doc, .xlsx, and .pdf extensions, hide the originals, and create matching shortcut files in their place. The worm component also writes itself to any new USB drive connected to an infected machine, allowing it to spread further without user action beyond opening what looks like a normal file.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!
Once running on a system, the malware deploys a portable Tor client renamed ugate.exe and configures a SOCKS5 proxy on localhost port 9050. All command-and-control traffic then routes through Tor's .onion network, making it significantly harder for corporate firewalls and security tools to intercept or trace the communications. The C2 infrastructure uses three endpoint paths: /route.php for check-ins, /recvf.php for uploading stolen files, and /stub.php for downloading additional payloads.
The clipboard monitoring is the malware's primary theft mechanism. It checks the Windows clipboard approximately every 500 milliseconds, looking for patterns that match cryptocurrency wallet addresses or recovery phrases. When it detects a match, it silently replaces the copied address with one controlled by the attacker, so the victim unknowingly sends funds to the wrong wallet.
The malware targets six cryptocurrencies across multiple address formats. For Bitcoin, it recognises legacy addresses starting with “1,” Pay-to-Script-Hash addresses starting with “3,” native SegWit addresses starting with “bc1q,” and Taproot addresses starting with “bc1p.” It also targets Tron addresses beginning with “T” and Monero addresses beginning with “4” or “8.” Clipboard hijacking for cryptocurrency theft is not limited to Windows, with Android trojans like Rokarolla using the same technique to redirect crypto payments on mobile devices.
Beyond wallet addresses, the malware scans clipboard content for BIP39 seed phrases, the 12- or 24-word recovery keys that grant full access to a cryptocurrency wallet. It also extracts Ethereum private keys and Bitcoin Wallet Import Format (WIF) keys. Capturing a seed phrase or private key gives attackers complete control over the associated wallet, not just the ability to redirect a single transaction.
The malware includes a surveillance module that captures five screenshots over a ten-second interval, packaging them for upload to the C2 server. This gives the operators a visual record of what the victim was doing at the time of infection, potentially revealing additional credentials, open browser tabs, or financial dashboards.
A command called EVAL allows the C2 operators to push and execute arbitrary code on infected machines, turning the cryptocurrency stealer into a general-purpose remote access tool. Microsoft notes this capability means the threat actors can adapt the malware's behaviour after deployment without needing to reinfect the target.
The malware employs multiple layers of evasion. The initial installer is a Python-based executable obfuscated with PyArmor and packaged with PyInstaller, making static analysis difficult. The JavaScript payloads dropped to C:\Users\Public\Documents use a separate dual-layer obfuscation scheme.
As an anti-analysis measure, the malware checks whether Task Manager is running and exits if it detects the process, a basic but effective way to frustrate casual investigation.
The use of Tor for C2 communications reflects a broader shift in malware infrastructure toward anonymisation networks that resist takedown efforts. Traditional malware that relies on fixed domains or IP addresses can be disrupted when defenders seize those assets. Tor-based C2 channels are substantially harder to shut down because the .onion addresses are not tied to any registrar or hosting provider that can be compelled to act.
Microsoft recommends several mitigations, starting with disabling AutoRun and AutoPlay to prevent automatic execution when USB drives are connected. Group Policy can be configured to block .lnk files from running on removable media, and restricting wscript.exe and cscript.exe through application control policies prevents the JavaScript-based payloads from executing.
Network monitoring for connections to localhost port 9050 can flag machines where the portable Tor client has been installed.
USB-borne malware had largely fallen out of the security spotlight as cloud storage and collaboration tools reduced reliance on physical drives. But supply chain and trust-exploitation attacks remain effective precisely because they target behaviours users consider routine, whether that is plugging in a USB drive or installing a package from a familiar repository.
Microsoft published SHA-256 indicators of compromise, MITRE ATT&CK technique mappings, and KQL hunting queries in its blog post to help security teams detect existing infections. The company says Microsoft Defender detects the malware family, and its Defender Experts team assisted in the investigation. Microsoft did not attribute the campaign to a specific threat actor or estimate the number of infections.