TL;DR:
- Microsoft identified a crypto clipper malware that spreads through infected USB drives and steals private keys from wallets.
- The trojan, classified as Trojan:Win32/CryptoBandits, monitors the Windows clipboard every 500 milliseconds to capture seed phrases and private keys.
- When it detects a transfer, the worm silently replaces the destination address with one controlled by the attacker, leaving no visible trace.
A malware detected by Microsoft spreads through infected USB drives and targets cryptocurrency wallets of users running the Windows operating system. According to a post published by the company, the attack has been active since February 2026 and was identified by its tool Microsoft Defender Antivirus under the classification Trojan:Win32/CryptoBandits.
The mechanism is sequential and silent. The entry vector is a USB drive containing a malicious shortcut file with a .lnk extension. When the user connects the device and clicks on that file, a worm is installed on the machine. From that point, the code operates on two fronts simultaneously: it continuously executes the wallet-stealing component and waits for a clean USB drive to be connected to the same machine in order to replicate itself.
Screenshots and Information Replacement
The stealing component monitors the Windows clipboard every 500 milliseconds, the temporary memory space used in copy-and-paste operations. If the user copies a seed phrase or a private key from a Bitcoin or Ethereum wallet, the malware captures that information and sends it to the attacker’s server through the Tor network, which provides anonymous communication. It also takes five screenshots ten seconds apart and transmits them alongside the stolen data.
The problem does not end there. If the user copies a recipient address to send funds, the worm silently replaces it with an address controlled by the attacker before the paste is completed. The transfer is redirected without any visible indication to the user.
Microsoft Recommends Security Measures
The propagation occurs when a clean USB drive is connected to the compromised machine. The worm scans the files on the device, including Word documents, Excel spreadsheets and PDFs, replaces them with shortcut files bearing the same names, and infects that new drive to continue the cycle.
Microsoft recommended disabling AutoRun for removable media, blocking the execution of .lnk files on USB drives through group policies, and restricting script hosts such as wscript.exe and cscript.exe. The company also published a list of indicators of compromise, including file hashes and .onion domains used as command-and-control servers.
