Microsoft Threat Intelligence reports that a new USB-based worm, tracked as Trojan:Win32/CryptoBandits.A, has been actively hijacking Windows clipboards to steal cryptocurrency since February 2026. The malware spreads via removable drives, uses a portable Tor client to hide command-and-control traffic, and replaces copied wallet addresses with attacker-controlled strings to divert funds.
How the USB Worm Hijacks Crypto Transactions
The malware operates by monitoring the Windows clipboard every 500 milliseconds, according to Microsoft. When a user copies a cryptocurrency wallet address, the malware identifies the format and silently swaps it for an address owned by the attacker. This technique ensures that when a user pastes an address to send funds, the transaction is routed to a malicious wallet instead of the intended recipient.
Beyond simple address swapping, the worm scans for high-value assets, including BIP39 seed phrases, Ethereum private keys, and Bitcoin Wallet Import Format (WIF) keys. Microsoft notes that successfully capturing these keys grants attackers full, permanent control over a victim’s entire wallet, rather than just redirecting a single transaction.
Why Tor-Based C2 Infrastructure Resists Takedowns
Unlike traditional malware that relies on static IP addresses or domain names, CryptoBandits.A routes all communications through a portable Tor client, specifically using the .onion network. Microsoft reports that this move significantly complicates security efforts, as the command-and-control (C2) infrastructure is not tied to any single registrar or hosting provider that authorities can easily compel to shut down.
The malware utilizes three specific endpoint paths for its operations:
- /route.php: Used for initial system check-ins.
- /recvf.php: Handles the upload of stolen files and screenshots.
- /stub.php: Allows operators to download additional malicious payloads.
The Return of USB-Borne Threats
While cloud storage and collaboration tools have reduced the reliance on physical media, USB-borne malware remains a persistent threat by exploiting routine human behaviors. Microsoft analysts observed that the malware disguises itself by hiding original document files and replacing them with .lnk (shortcut) files that bear the same names. When a user opens these shortcuts, the malware executes in the background.
This method mirrors older, “classic” worm behavior, but with modern evasion techniques. The initial installer is a Python-based executable obfuscated with PyArmor and packaged with PyInstaller, which makes static analysis by security software more difficult. To further evade detection, the malware includes a check that terminates its process if it detects the Windows Task Manager running.
How to Protect Your Systems
Microsoft recommends several defensive measures to mitigate the risk of infection. Disabling AutoRun and AutoPlay on Windows machines is the most effective way to prevent the malware from executing the moment a drive is plugged in. Additionally, security teams can configure Group Policy to block .lnk files from running on removable media.
For enterprise environments, monitoring for connections to localhost port 9050 is a primary indicator of an active infection, as this is the port used by the malware’s portable Tor client. Microsoft has provided KQL hunting queries and SHA-256 indicators of compromise in their official threat report to assist security teams in identifying existing breaches.
Frequently Asked Questions
What happens if I open an infected USB shortcut?
Opening an infected .lnk file triggers a script that executes the malware payload, hides your original files, and initiates a persistent scan of your clipboard for sensitive financial information.
Can antivirus software detect this malware?
Yes, Microsoft confirms that Microsoft Defender currently detects this malware family. Users should ensure their security definitions are updated to the latest versions.
Is my entire computer at risk?
Yes. The malware includes an “EVAL” command that allows attackers to push and execute arbitrary code, effectively turning the infection into a general-purpose remote access tool.
Stay ahead of emerging cybersecurity threats. Subscribe to our newsletter for the latest technical analysis and security alerts delivered directly to your inbox.
