TL;DR
Microsoft discovered a USB worm energetic since February that hijacks clipboards to swap crypto pockets addresses and routes stolen knowledge through a transportable Tor consumer.
Microsoft Risk Intelligence has identified a new strain of self-propagating malware that spreads through USB drives, displays the Home windows clipboard for cryptocurrency pockets addresses and seed phrases, and routes all stolen knowledge through a transportable Tor consumer to keep away from detection. The marketing campaign has been energetic since at the least February 2026, in response to Microsoft’s evaluation printed this week.
The malware, which Microsoft detects as Trojan:Win32/CryptoBandits.A, works as a traditional USB worm with a contemporary payload. When a person plugs in an contaminated drive, they see what seem like their regular doc information. The originals have been hidden, changed by Home windows shortcut (.lnk) information bearing the identical names that silently execute the malware when opened.
The .lnk information scan the drive for paperwork with .doc, .xlsx, and .pdf extensions, cover the originals, and create matching shortcut information of their place. The worm part additionally writes itself to any new USB drive related to an contaminated machine, permitting it to unfold additional with out person motion past opening what seems like a traditional file.
The 💜 of EU tech
The newest rumblings from the EU tech scene, a narrative from our clever ol’ founder Boris, and some questionable AI artwork. It is free, each week, in your inbox. Enroll now!
As soon as working on a system, the malware deploys a transportable Tor consumer renamed ugate.exe and configures a SOCKS5 proxy on localhost port 9050. All command-and-control site visitors then routes through Tor’s .onion community, making it considerably more durable for company firewalls and safety instruments to intercept or hint the communications. The C2 infrastructure makes use of three endpoint paths: /route.php for check-ins, /recvf.php for importing stolen information, and /stub.php for downloading extra payloads.
The clipboard monitoring is the malware’s main theft mechanism. It checks the Home windows clipboard roughly each 500 milliseconds, searching for patterns that match cryptocurrency pockets addresses or restoration phrases. When it detects a match, it silently replaces the copied deal with with one managed by the attacker, so the sufferer unknowingly sends funds to the incorrect pockets.
The malware targets six cryptocurrencies throughout a number of deal with codecs. For Bitcoin, it recognises legacy addresses beginning with “1,” Pay-to-Script-Hash addresses beginning with “3,” native SegWit addresses beginning with “bc1q,” and Taproot addresses beginning with “bc1p.” It additionally targets Tron addresses starting with “T” and Monero addresses starting with “4” or “8.” Clipboard hijacking for cryptocurrency theft is not limited to Windows, with Android trojans like Rokarolla utilizing the identical method to redirect crypto funds on cellular units.
Past pockets addresses, the malware scans clipboard content material for BIP39 seed phrases, the 12- or 24-word restoration keys that grant full entry to a cryptocurrency pockets. It additionally extracts Ethereum personal keys and Bitcoin Pockets Import Format (WIF) keys. Capturing a seed phrase or personal key offers attackers full management over the related pockets, not simply the flexibility to redirect a single transaction.
The malware features a surveillance module that captures 5 screenshots over a ten-second interval, packaging them for add to the C2 server. This offers the operators a visible report of what the sufferer was doing on the time of an infection, doubtlessly revealing extra credentials, open browser tabs, or monetary dashboards.
A command known as EVAL permits the C2 operators to push and execute arbitrary code on contaminated machines, turning the cryptocurrency stealer right into a general-purpose distant entry software. Microsoft notes this functionality means the menace actors can adapt the malware’s behaviour after deployment without having to reinfect the goal.
The malware employs a number of layers of evasion. The preliminary installer is a Python-based executable obfuscated with PyArmor and packaged with PyInstaller, making static evaluation troublesome. The JavaScript payloads dropped to C:UsersPublicDocuments use a separate dual-layer obfuscation scheme.
As an anti-analysis measure, the malware checks whether or not Job Supervisor is working and exits if it detects the method, a primary however efficient method to frustrate informal investigation.
Using Tor for C2 communications displays a broader shift in malware infrastructure towards anonymisation networks that resist takedown efforts. Conventional malware that depends on mounted domains or IP addresses may be disrupted when defenders seize these property. Tor-based C2 channels are considerably more durable to close down as a result of the .onion addresses will not be tied to any registrar or internet hosting supplier that may be compelled to behave.
Microsoft recommends a number of mitigations, beginning with disabling AutoRun and AutoPlay to forestall automated execution when USB drives are related. Group Coverage may be configured to dam .lnk information from working on detachable media, and limiting wscript.exe and cscript.exe through utility management insurance policies prevents the JavaScript-based payloads from executing.
Community monitoring for connections to localhost port 9050 can flag machines the place the transportable Tor consumer has been put in.
USB-borne malware had largely fallen out of the safety highlight as cloud storage and collaboration instruments lowered reliance on bodily drives. However supply chain and trust-exploitation attacks stay efficient exactly as a result of they aim behaviours customers contemplate routine, whether or not that is plugging in a USB drive or putting in a package deal from a well-recognized repository.
Microsoft printed SHA-256 indicators of compromise, MITRE ATT&CK method mappings, and KQL searching queries in its weblog put up to assist safety groups detect current infections. The corporate says Microsoft Defender detects the malware household, and its Defender Specialists workforce assisted within the investigation. Microsoft didn’t attribute the marketing campaign to a selected menace actor or estimate the variety of infections.
