Microsoft discovers new lightweight backdoor that steals cryptocurrency via USB drives

At a glance:

• Microsoft identified a new self-propagating malware called Crypto Clipper that steals cryptocurrency credentials via USB drives.
• The worm monitors clipboards for wallet addresses or seed phrases, captures five screenshots over 10 seconds, and exfiltrates data through Tor using a SOCKS5 proxy.
• It spreads via .lnk files on USB drives, deploying a portable Tor client and naming files to evade detection.

How Crypto Clipper operates

When an infected USB drive is plugged into a Windows PC, the .lnk file executes code that first checks whether Crypto Clipper is already present on the host. If the malware is absent, it reaches out through a locally hosted SOCKS5 proxy to download the full payload from attacker-controlled servers over the Tor network. This approach avoids leaving a traditional installer or exposing an IP-based command-and-control server, making the threat harder to trace with conventional network logs.

Once active, the worm continuously scans the clipboard for strings that match known cryptocurrency wallet address formats or seed-phrase patterns. Upon detecting a match, Crypto Clipper captures five screenshots at one-second intervals over a ten-second window to gather visual confirmation of the transaction or wallet interface. Both the harvested credentials and the screenshot set are then packaged and transmitted through the same Tor-routed SOCKS5 channel to the attacker's hidden service.

Technical mechanisms and evasion tactics

Microsoft researchers noted that the malware bundles a portable Tor client, eliminating the need for a pre-installed Tor service on the victim machine. By routing all outbound traffic through a local SOCKS5 proxy that forwards to the Tor network, the worm obscures both the source and destination IP addresses, thwarting simple IP-based blocking. This design also enables remote code execution capabilities, allowing attackers to run arbitrary commands on the infected host while remaining financially motivated.

To hinder forensic analysis, Crypto Clipper scans the infected USB drive and renames its .lnk lures to names that closely resemble legitimate files, making casual inspection less likely to reveal the malicious payload. The worm also checks for existing installations before re-downloading, which reduces redundant network traffic and lowers the chance of triggering security alerts tied to repeated downloads. These tactics together give the malware a lightweight footprint while maintaining persistence across multiple USB insertions.

Implications and mitigation

The emergence of Crypto Clipper highlights a growing trend where financially motivated malware leverages anonymity networks to steal digital assets without relying on conspicuous infrastructure. Users who frequently transfer cryptocurrency via USB-stored wallet files or who copy-paste addresses are particularly exposed, as the worm can harvest credentials silently. Microsoft's Threat Intelligence team identified the worm through telemetry from Windows Defender ATP, prompting the issuance of detection signatures and guidance for enterprise customers.

Administrators are advised to block autorun execution of .lnk files from removable media, enforce USB device control policies, and monitor for outbound Tor connections originating from internal networks. End-users should consider using hardware wallets that never expose private keys to the host clipboard and enable clipboard-clearing utilities after crypto transactions. Microsoft indicates that it will continue to track variants that may incorporate additional evasion layers, such as encrypted payloads or peer-to-peer distribution mechanisms.