Microsoft Warns of USB-Based “Crypto Clipper” Malware Spread

Microsoft Threat Intelligence has issued a warning to Windows users about a cryptocurrency clipper malware strain that spreads through USB drives and has been active since February. The attack is designed to harvest wallet credentials directly from users’ clipboard activity and then maintain control of infected machines through a persistent “worm-like” component.

In a security blog post published Wednesday, Microsoft described how the malware combines rapid clipboard theft with screenshot capture and wallet-address substitution—turning routine wallet copying into a monetization path for attackers. Microsoft also said the malware can propagate to removable media without relying on a traditional installer or exposed IP-based infrastructure, increasing the challenge of blocking it with conventional perimeter defenses.

Key takeaways

• Microsoft says the crypto clipper has been affecting Windows users since February and spreads via USB devices.
• The malware targets “high-value financial artifacts” copied to the clipboard, including BIP39 seed phrases and private keys.
• It can replace copied wallet addresses with attacker-controlled ones across multiple blockchain ecosystems, including Bitcoin and Ethereum.
• Microsoft reports it deploys Tor on the victim device and uses Tor-routed command-and-control to hide operator infrastructure.
• Microsoft Defender Antivirus detects the threat as Trojan:Win32/CryptoBandits.A.

USB-based clipboard theft turns into credential exfiltration

At the core of the campaign is a tactic Microsoft described as “high-frequency clipboard theft” paired with screenshot exfiltration. According to Microsoft, once the malware runs on a Windows machine, it monitors clipboard contents to extract wallet credentials and then captures screenshots every ten seconds to provide additional context for the attackers.

More worryingly for users is what Microsoft says the malware does beyond stealing information. Microsoft characterized the clipper as including a backdoor capability, enabling attackers to execute additional code on compromised hosts at later times. That shifts the threat from “one-time theft” into a persistent foothold that can potentially support follow-on attacks, including ransomware-style intrusions.

Microsoft also said the malware can disguise its presence by hiding legitimate files and replacing them with lookalike shortcuts. That design encourages victims to run the malicious components without realizing they’ve been tricked—especially when the infection is triggered via removable media.

Persistence and propagation via scheduled tasks and “worm” behavior

Microsoft’s analysis indicates the malware deploys two obfuscated JavaScript payloads in the Windows Documents directory. It then creates scheduled tasks for both the worm and stealer components—an approach that helps ensure the malicious routines continue running even after reboot.

The “worm component” is central to the propagation strategy. Microsoft said the malware automatically pushes itself to USB storage devices, allowing infections to spread when the victim connects the drive to other systems. This is why Microsoft’s warning focuses on removable media hygiene: an environment where USB devices are shared among multiple machines becomes a multiplier for infection risk.

Microsoft also noted that the malware’s execution does not depend on a traditional installer or exposed IP-based infrastructure. In practical terms, this can reduce defenders’ ability to rely on common download/installer telemetry and may make it harder to block by tracking known malicious endpoints.

Tor on the endpoint and wallet-address substitution

Microsoft reported that the malware secretly installs a copy of Tor on the victim’s computer and renames it ugate.exe to look less suspicious. The malware then uses the anonymizing Tor network to reach hidden “onion” addresses operated by the attackers.

This Tor-routed approach matters because it makes command-and-control less dependent on a stable, easily enumerated host. Microsoft said the combination of Tor-routed C2, clipboard targeting, screenshot capture, and remote code execution gives attackers both immediate monetization paths and ongoing control of compromised devices.

On the monetization side, Microsoft said the clipper focuses on high-value financial artifacts from clipboard content, including BIP39 mnemonic seed phrases and Bitcoin and Ethereum private keys. Microsoft also described wallet-address substitution across multiple networks, replacing copied wallet addresses with attacker-controlled ones for Bitcoin, Tron, and Monero.

In addition to swapping addresses, the malware takes periodic screenshots, which can help attackers confirm what the user intended to send—even if the copied address has been altered. Microsoft also said that the malware collects this information to support the operators’ ability to act quickly once funds are ready to move.

What Microsoft recommends and how this fits a broader threat wave

Microsoft recommended several defensive measures aimed at breaking the infection chain. These include disabling autoplay on removable media, blocking .lnk execution from USB drives, and monitoring for proxy activity and spawned scripts—behaviors consistent with malware that uses scheduled tasks and anonymized communications.

Microsoft Defender Antivirus detects the threat as Trojan:Win32/CryptoBandits.A, which gives defenders a baseline for incident response and hunting on endpoints that show related artifacts.

The warning arrives amid a broader escalation in Windows-based crypto-stealing threats. Earlier this month, Foresiet Threat Intel identified a Windows malware strain called Lucid Stealer targeting browser extensions and crypto wallets. Taken together, the pattern suggests attackers are increasingly focusing on credential capture mechanisms that align with how users actually manage funds—through browser tools, wallet software, and copy/paste behavior that can be intercepted.

For users and security teams, the next step is to treat clipboard-handling threats as a high-risk category, not a niche one: watch for suspicious scheduled tasks, unexpected Tor-related processes renamed to masquerade filenames, and evidence of USB-driven propagation. With Microsoft stating the campaign has been active since February, organizations should also consider whether any infected removable media may still be in circulation and whether endpoint monitoring is catching the early stages—before clipboard theft and address substitution begin.