USB-spread crypto clipper steals wallet seeds, installs Tor
Microsoft warns of a USB-spread crypto clipper that steals clipboard wallet keys and BIP39 seed phrases, substitutes copied addresses, captures frequent screenshots and installs Tor.
Microsoft Threat Intelligence warned of a USB-spread cryptocurrency clipper that targets Windows machines and has been active since February. The malware spreads when users plug infected removable drives into a computer and is designed to steal wallet credentials and divert funds.
The malware hides real files on the USB drive and replaces them with lookalike shortcut files so victims run the malicious code by mistake. A worm component copies the infection to any attached removable drives. The operators drop two obfuscated JavaScript payloads into the user’s Documents folder and create scheduled tasks to run both the worm and the stealer automatically.
The clipper focuses on clipboard data that contains high-value financial artifacts, including BIP39 mnemonic seed phrases and private keys for Bitcoin and Ethereum. When a user copies a wallet address, the malware can substitute the copied value with an attacker-controlled address for Bitcoin, Tron and Monero. The program also takes screenshots every ten seconds to capture context around victim activity.
To mask its communications, the malware installs a copy of Tor under the filename ugate.exe and uses Tor hidden services for command-and-control. Microsoft noted the threat does not rely on a standard installer or exposed IP-based infrastructure; operators use anonymized communications and scheduled tasking to manage compromised devices.
The malware functions as a backdoor that can receive and execute arbitrary code, enabling operators to maintain control and deploy further payloads on infected systems. Microsoft Defender Antivirus detects the threat as Trojan:Win32/CryptoBandits.A.
Microsoft recommended defensive steps including disabling autorun/autoplay for removable media, blocking execution of .lnk shortcut files from USB drives, and monitoring for unexpected proxy activity and for scripting processes spawned from user folders or removable devices. Organizations and users who handle cryptocurrency wallets should treat removable media as untrusted and keep endpoint protections up to date.
Security teams have reported a broader increase in Windows-targeting crypto stealers in 2026, with multiple strains identified that target browser extensions and wallet software.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
