USB Worm Spreads Cryptocurrency-Stealing Malware

Cryptoverse

Vendors Awaiting Customers
Vendors Awaiting Customers
74
8
Microsoft experts have warned of the discovery of a new Windows clipper, active since at least February 2026. The malware spreads via USB drives and is designed to steal cryptocurrency. It monitors the clipboard, steals seed phrases and private keys, spoofs wallet addresses, and sends screenshots to its operators.

Researchers emphasize that this campaign is distinguished by its unusual architecture. Instead of a traditional installer and command-and-control servers, the malware, dubbed CryptoBandits, deploys a portable Tor client on the victim's machine and communicates with command-and-control servers via .onion services. As a result, a typical cryptostealer effectively transforms into a lightweight backdoor with remote code execution capabilities.

The attack begins with a standard flash drive, where the attackers place a malicious LNK file. If the user opens this shortcut, the worm is launched, which checks whether the system is infected and then downloads additional components from a remote server.

The malware then searches the drive for documents in popular formats—DOC, XLSX, and PDF. Any files found are hidden, and shortcuts with the same name are created in their place. To the user, everything appears familiar: they double-click the "document," but then launch the malware.

The worm also monitors the connection of new USB drives, automatically copying itself to them, ensuring further spread. To gain a foothold in the system, Windows Scheduler tasks are created.

The main payload of this campaign is a clipper. Before launching, it checks the list of active processes and terminates if it detects the Task Manager. The malware uses Windows Script Host and ActiveX to interact with the system.



Once launched, the malware activates a renamed Tor client, registers the victim on the command and control server, and begins a constant exchange of commands through a local SOCKS5 proxy. Simultaneously, the malware analyzes the clipboard contents every half second.

Researchers have found that the clipper searches for:

  • BIP39 seed phrases of 12 and 24 words;
  • Ethereum private keys;
  • WIF keys;
  • Bitcoin legacy, P2SH, Bech32, Taproot, Ethereum, Tron, and Monero wallet addresses.
If a user copies a crypto wallet address, the malware replaces it in the buffer with an address belonging to the attackers. The values are chosen so that the replaced address visually resembles the original and does not arouse suspicion during a cursory inspection.



Furthermore, the malware takes five screenshots every 10 seconds and sends them to its operators via Tor using curl.

Experts note that CryptoBandits' most dangerous feature involves remote code execution. If the command-and-control server returns an EVAL command, the malware downloads and executes JavaScript code provided by the attackers.

Microsoft emphasizes that it is better to detect this threat based on behavior rather than signatures. Characteristic signs include wscript.exe and cscript.exe activity, unexpected PowerShell, cmd.exe, and curl launches, connections to localhost:9050, and Tor usage.