Microsoft USB Worm Hijacks Clipboards to Steal Cryptocurrency via Tor
▼ Summary
– Microsoft Threat Intelligence discovered a new self-propagating malware that spreads via USB drives.
– The malware monitors the Windows clipboard for cryptocurrency wallet addresses and seed phrases to steal them.
– All stolen data is routed through a portable Tor client to evade detection.
– The campaign has been active since at least February 2026.
– Microsoft published an analysis of the malware, which targets cryptocurrency theft.
Microsoft Threat Intelligence has uncovered a novel piece of self-replicating malware that spreads via USB drives, secretly monitors the Windows clipboard for cryptocurrency wallet addresses and seed phrases, and funnels all stolen data through a portable Tor client to evade detection. The campaign has been active since at least February 2026, as detailed in Microsoft’s latest security analysis.
This USB worm targets clipboard content, a common vector for cryptocurrency theft. When a user copies a wallet address or seed phrase, the malware swaps it with an attacker-controlled address, rerouting funds during transactions. The worm also logs clipboard history to steal sensitive data, then encrypts and transmits it over Tor for anonymity.
Microsoft notes that the malware uses a portable Tor client bundled within the executable, allowing it to communicate with command-and-control servers without requiring a system-wide Tor installation. This makes detection harder for traditional antivirus tools. The worm propagates by copying itself to any removable drive, leveraging autorun features to infect new machines.
The campaign is ongoing, and Microsoft urges users to disable autorun on USB devices, use hardware wallets for cryptocurrency storage, and verify clipboard contents before confirming transactions. The company also recommends keeping security software updated and monitoring for unusual network activity, especially Tor connections from non-browser processes.
(Source: The Next Web)
