Security researchers have uncovered a cryptocurrency-stealing malware campaign that spreads through infected USB drives and malicious Windows shortcut files. The operation targets cryptocurrency users by monitoring clipboard activity and replacing wallet addresses before victims complete transactions.

Microsoft researchers have tracked the campaign since February 2026. The malware combines worm-like propagation, clipboard theft, remote command execution, and Tor-based communications to evade detection and maintain access to infected systems.

Unlike many traditional cryptocurrency stealers, this threat does more than swap wallet addresses. The malware also captures screenshots, communicates through the Tor network, and allows attackers to execute additional commands on compromised devices.

Malicious Shortcut Files Drive Infections

The attack begins when users open malicious Windows shortcut files stored on infected USB devices. Those shortcut files appear legitimate but secretly launch scripts that install malware components on the victim’s computer.

Researchers say the malware deploys two primary components. One component focuses on propagation and infects additional USB drives. The second component steals cryptocurrency-related information and monitors clipboard activity.

The worm component helps the malware spread between systems that share removable storage devices. As users move infected USB drives between computers, the campaign gains new opportunities to compromise additional victims.

Malware Hijacks Cryptocurrency Transactions

After infecting a device, the malware continuously monitors the clipboard for cryptocurrency wallet addresses, seed phrases, private keys, and other valuable information.

When a victim copies a wallet address before sending funds, the malware can replace it with an attacker-controlled address. If the user fails to verify the destination address, the transaction sends cryptocurrency directly to the threat actor.

Researchers also observed screenshot collection and additional data theft capabilities. These functions provide attackers with visibility into victim activity and help them gather more information about compromised systems.

Tor Network Helps Attackers Hide Activity

The campaign uses a bundled Tor client to conceal communications between infected systems and command-and-control servers. The malware routes traffic through a local SOCKS5 proxy and connects to hidden services on the Tor network.

This approach makes infrastructure tracking more difficult and helps attackers avoid traditional network-based detection methods. Researchers noted that the malware relies heavily on script-based components and Windows Script Host functionality to carry out its operations.

By combining USB propagation, Tor communications, and cryptocurrency theft, the operators have created a flexible platform that can spread widely while remaining difficult to trace.

How Organizations Can Reduce Risk

Security teams should educate users about the risks associated with unknown USB devices and suspicious shortcut files. Organizations should also monitor systems for unusual script activity, unauthorized scheduled tasks, and unexpected Tor-related processes.

Researchers recommend scanning removable media before use and restricting access to untrusted USB devices whenever possible. Users who handle cryptocurrency should always verify wallet addresses before approving transactions.

Conclusion

The USB crypto malware campaign demonstrates how attackers continue to adapt older infection techniques for modern cybercrime. By combining malicious shortcut files, USB-based propagation, Tor communications, and clipboard theft, the malware creates multiple opportunities to steal cryptocurrency and compromise additional systems. Organizations and individual users should remain cautious when handling removable media and always verify cryptocurrency transactions before sending funds.


0 responses to “USB Crypto Malware Spreads Through Windows Shortcuts”