Blab Crypto
Microsoft Detects Self-Propagating USB Malware Crypto Clipper Targeting Cryptocurrency Credentials
Microsoft’s threat‑intelligence team announced on Thursday that it has identified a new self‑propagating malware that spreads through USB drives and searches for cryptocurrency credentials. The worm, named Crypto Clipper, scans the contents of a device’s clipboard for wallet addresses or seed phrases, captures five screenshots over a ten‑second period, and then transmits the data to attacker‑controlled servers via the Tor network.
Crypto Clipper does not rely on a traditional installer or exposed IP‑based command‑and‑control infrastructure. Instead, the malware deploys a portable Tor client and routes traffic through a local SOCKS5 proxy. When a USB drive containing a malicious .lnk (shortcut) file is inserted, the code checks whether the worm is already installed on the host. If not, it downloads the payload through the Tor proxy. To conceal its presence, the malware scans the USB drive and renames the .lnk files with similar names.
Microsoft highlighted that the worm’s clipboard‑monitoring capability is a key feature. By detecting patterns that match cryptocurrency wallet addresses or seed phrases, Crypto Clipper can capture sensitive data before it is used. The screenshots taken during the ten‑second window provide additional evidence of the victim’s activity. All captured credentials and images are sent over Tor, an overlay network that anonymises traffic by routing it through multiple volunteer‑run relays, making it difficult for network observers to link the source and destination.
Clipboard hijacking is a well‑known technique used by other clipper malware variants. Binance, for example, has warned that clipper malware can silently alter wallet addresses during transactions, leading to immediate loss of funds. Other security blogs have documented similar behaviour, noting that the malware can change the address you copy, thereby redirecting payments to an attacker’s wallet. These reports confirm that the clipboard‑based attack vector remains a persistent threat to cryptocurrency holders.
The lightweight backdoor nature of Crypto Clipper is notable. By combining data theft with remote code execution in a single, portable package, the worm can operate without leaving obvious network footprints. Its self‑propagating mechanism via USB drives mirrors other USB worms such as LitterDrifter, which have historically spread across multiple countries by exploiting removable media.
For the broader crypto ecosystem, Crypto Clipper represents a new vector of risk. Users who rely on USB drives for storage or transfer of wallets are now exposed to a threat that can silently harvest credentials and compromise transactions. The use of Tor and SOCKS5 further complicates detection and attribution, underscoring the need for heightened vigilance and the adoption of security best practices, such as disabling automatic execution of shortcuts and monitoring clipboard activity.
Microsoft is continuing to monitor the threat and has advised users to keep their systems updated and to be cautious when inserting unknown USB devices. The company has not yet released a patch or mitigation guide, but it has confirmed that the worm is actively spreading in the wild. As the threat landscape evolves, security teams and crypto users alike should remain alert to new clipper variants that exploit clipboard hijacking and USB propagation.
Crypto Clipper does not rely on a traditional installer or exposed IP‑based command‑and‑control infrastructure. Instead, the malware deploys a portable Tor client and routes traffic through a local SOCKS5 proxy. When a USB drive containing a malicious .lnk (shortcut) file is inserted, the code checks whether the worm is already installed on the host. If not, it downloads the payload through the Tor proxy. To conceal its presence, the malware scans the USB drive and renames the .lnk files with similar names.
Microsoft highlighted that the worm’s clipboard‑monitoring capability is a key feature. By detecting patterns that match cryptocurrency wallet addresses or seed phrases, Crypto Clipper can capture sensitive data before it is used. The screenshots taken during the ten‑second window provide additional evidence of the victim’s activity. All captured credentials and images are sent over Tor, an overlay network that anonymises traffic by routing it through multiple volunteer‑run relays, making it difficult for network observers to link the source and destination.
Clipboard hijacking is a well‑known technique used by other clipper malware variants. Binance, for example, has warned that clipper malware can silently alter wallet addresses during transactions, leading to immediate loss of funds. Other security blogs have documented similar behaviour, noting that the malware can change the address you copy, thereby redirecting payments to an attacker’s wallet. These reports confirm that the clipboard‑based attack vector remains a persistent threat to cryptocurrency holders.
The lightweight backdoor nature of Crypto Clipper is notable. By combining data theft with remote code execution in a single, portable package, the worm can operate without leaving obvious network footprints. Its self‑propagating mechanism via USB drives mirrors other USB worms such as LitterDrifter, which have historically spread across multiple countries by exploiting removable media.
For the broader crypto ecosystem, Crypto Clipper represents a new vector of risk. Users who rely on USB drives for storage or transfer of wallets are now exposed to a threat that can silently harvest credentials and compromise transactions. The use of Tor and SOCKS5 further complicates detection and attribution, underscoring the need for heightened vigilance and the adoption of security best practices, such as disabling automatic execution of shortcuts and monitoring clipboard activity.
Microsoft is continuing to monitor the threat and has advised users to keep their systems updated and to be cautious when inserting unknown USB devices. The company has not yet released a patch or mitigation guide, but it has confirmed that the worm is actively spreading in the wild. As the threat landscape evolves, security teams and crypto users alike should remain alert to new clipper variants that exploit clipboard hijacking and USB propagation.
