Microsoft has uncovered a dangerous new cryptocurrency stealing malware campaign that spreads through USB devices, hides its activity using the Tor network, and can even execute commands remotely on infected Windows systems.
Quick Summary – TLDR:
- Microsoft identified a new Windows based crypto clipper malware campaign active since February 2026.
- The malware spreads through infected USB drives using malicious shortcut files disguised as documents.
- It steals cryptocurrency seed phrases, private keys, wallet addresses, and screenshots from victims.
- Tor based communications and remote code execution capabilities make it more advanced than traditional crypto clippers.
What Happened?
Microsoft Threat Intelligence has revealed details of a sophisticated cryptocurrency malware campaign targeting Windows users. The threat, active since February 2026, combines a crypto clipper, information stealer, and USB worm into a single package that can spread between devices while secretly stealing sensitive cryptocurrency data.
Researchers found that the malware relies on the Tor anonymity network for communication with its operators, helping attackers hide their infrastructure while maintaining persistent access to infected machines.
ALERT: @Microsoft identifies USB-spreading malware that hijacks crypto transfers by silently swapping copied wallet addresses with attacker-controlled ones before you paste.
— CoinDesk (@CoinDesk) June 19, 2026
Disable AutoRun for USBs, block .lnk file execution, and always verify wallet addresses after pasting. pic.twitter.com/OQOGH0FKDW
How the Attack Begins?
According to Microsoft’s findings, infections start through malicious Windows shortcut files distributed on USB storage devices. These shortcut files appear to be legitimate documents, making them difficult for users to identify as malicious.
Once connected to a system, the malware scans USB drives for commonly used files such as Word documents, Excel spreadsheets, and PDF files. The original files are hidden and replaced with malicious shortcuts that use the same names. When a user clicks one of these files, the malware is executed instead of the expected document.
The attack deploys two separate components:
- A worm component responsible for spreading the malware to other removable drives.
- A crypto clipper and stealer component designed to collect and exfiltrate cryptocurrency related information.
Tor Helps Hide the Attack
One of the most notable aspects of this campaign is its use of a bundled Tor client. Instead of communicating with traditional internet based command servers, the malware launches a renamed Tor executable called ugate.exe and connects to hidden .onion services.
Traffic is routed through a local SOCKS5 proxy running on localhost:9050, making it harder for defenders to track the final destination of communications.
Microsoft noted that this approach allows attackers to conceal their infrastructure while giving the malware capabilities typically associated with more advanced threats.
Cryptocurrency Data in the Crosshairs
The clipper component continuously monitors clipboard activity approximately every 500 milliseconds. Researchers observed the malware searching for valuable cryptocurrency related information, including:
- BIP39 seed phrases.
- Ethereum private keys.
- Bitcoin Wallet Import Format keys.
- Cryptocurrency wallet addresses.
When such data is found, it is transmitted to attackers through Tor based communications.
The malware also captures screenshots of the victim’s system at regular intervals. These screenshots can provide attackers with additional insight into cryptocurrency wallets, balances, and user activity.
Wallet Address Hijacking
A major feature of the malware is wallet address substitution.
When a victim copies a cryptocurrency wallet address during a transaction, the malware silently replaces it with an attacker controlled address before it is pasted elsewhere. This tactic can redirect cryptocurrency payments without the victim noticing.
Microsoft found support for multiple cryptocurrency formats, including Bitcoin, Monero, and Tron. In many cases, replacement addresses are designed to resemble the original addresses by matching certain characters, reducing the chance that victims spot the change.
More Than a Crypto Clipper
Researchers said the malware goes beyond traditional crypto clipping operations.
The malware contains an EVAL command that allows operators to download and execute arbitrary JavaScript code from the command server. This effectively transforms the threat from a cryptocurrency stealer into a lightweight backdoor capable of running additional payloads on compromised devices.
The malware also uses several defense evasion techniques, including:
- Multi layer encryption and obfuscation.
- PyInstaller and PyArmor protection.
- Runtime payload decryption.
- Scheduled tasks for persistence.
- Antivirus exclusion creation.
- Task Manager detection to avoid analysis.
Microsoft’s Recommended Defenses
Microsoft advises organizations to focus on behavioral detection rather than relying solely on malware signatures.
Recommended measures include:
- Disable AutoRun and AutoPlay for removable media.
- Block shortcut file execution from USB drives where possible.
- Restrict unnecessary use of wscript.exe and cscript.exe.
- Monitor suspicious PowerShell screen capture activity.
- Investigate unusual curl.exe executions.
- Watch for Tor related traffic through localhost:9050.
- Review clipboard monitoring activity on sensitive systems.
SQ Magazine Takeaway
I think this campaign stands out because it combines several attack methods that are usually seen separately. It is not just a crypto stealer, and it is not just a USB worm. The addition of Tor-based communications and remote code execution gives attackers a much stronger foothold on compromised systems. For anyone handling cryptocurrency, this serves as another reminder that even something as simple as opening a file from a USB drive can lead to serious financial losses.
