Key Takeaways
- Security researchers at Microsoft have uncovered a malicious campaign leveraging infected USB storage devices to distribute crypto-targeting malware beginning in February 2026
- The threat, classified as Trojan:Win32/CryptoBandits, constantly monitors clipboard activity approximately twice per second
- The malicious software exfiltrates cryptocurrency wallet recovery phrases and authentication keys through anonymous Tor connections
- Victims copying wallet addresses unknowingly paste attacker-controlled addresses instead, redirecting their cryptocurrency transactions
- Security measures include disabling automatic USB execution and implementing .lnk file restrictions through policy controls
Microsoft’s security division has uncovered a sophisticated malware operation that exploits USB storage devices to compromise cryptocurrency wallets on Windows systems. The campaign has been operational since February 2026.
Researchers have designated this threat as a “crypto clipper,” with Microsoft Defender Antivirus identifying it under the classification Trojan:Win32/CryptoBandits. The technology giant published its findings in a comprehensive security advisory earlier this week.
The infection sequence initiates when an unsuspecting individual connects a compromised USB device to their system. The storage medium harbors a deceptive shortcut file bearing the “.lnk” extension. Activating this file triggers the deployment of a self-replicating worm.
Following successful installation, the malicious code executes dual operations simultaneously. It begins harvesting cryptocurrency wallet credentials while preparing to propagate to additional clean USB devices upon connection.
Clipboard Monitoring Mechanism Explained
The malicious software conducts surveillance of the Windows clipboard at approximately 500-millisecond intervals. The clipboard functions as temporary storage whenever users perform copy-paste operations.
When victims copy sensitive information such as wallet recovery phrases or authentication keys for Bitcoin or Ethereum accounts, the malware immediately intercepts this data. Subsequently, it transmits the stolen credentials to remote servers operated by threat actors via the Tor anonymity network.
Additionally, the malware captures five sequential screenshots at ten-second intervals, forwarding these visual records to the attackers’ infrastructure.
The threat extends beyond credential theft. When users copy cryptocurrency wallet addresses for transaction purposes, the worm performs a silent substitution, replacing the legitimate address with one under attacker control. Victims inadvertently paste the fraudulent address, redirecting their digital assets to cybercriminals.
Propagation Methods and Defense Strategies
Upon connecting an uninfected USB device to a compromised system, the worm executes its replication protocol immediately. It catalogs legitimate files including Word documents, Excel spreadsheets, and PDF files. The malware then substitutes these files with identically-named shortcut files. The newly infected storage device subsequently transmits the malware to any additional systems it contacts.
Microsoft‘s security team has outlined multiple defensive measures to counter this threat. Organizations should implement AutoRun disablement for removable storage media and enforce .lnk file execution blocking on USB devices through administrative policies.
Additional recommendations include restricting script execution environments such as wscript.exe and cscript.exe. Microsoft Defender deployments can leverage threat hunting queries to identify suspicious activity, particularly monitoring for connections to local Tor proxy services operating on port 9050.
Microsoft has released comprehensive indicators of compromise documentation. This intelligence package encompasses cryptographic file hashes and .onion domain addresses functioning as command-and-control infrastructure, enabling enterprise security operations to audit their environments.
Cryptocurrency platform Binance independently validated the threat, disseminating Microsoft’s security advisory to its user base. Cybersecurity organization NS3.AI has verified active compromises affecting users since the February 2026 timeframe.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
